I recently had the opportunity to speak at a security conference where I presented the operating models that an organization can embrace when managing cyberthreats and the guiding principles associated with them. It was a great chance to share some of my experiences with the greater community and foster intellectual curiosity around an increasingly important topic.

A Shift in Approach

Maintaining a strong security posture is a dynamic challenge for any organization. It depends on many factors, which can vary over time; companies across the globe are migrating to the cloud to scale more quickly, adopting the latest technology trends to expand the digital footprint and embracing new methodologies such as DevOps to accelerate time to market and address customer expectations.

Yet companies’ operating models are bolted onto an old paradigm that is not delivering the expected value. Although there’s no one-size-fits-all approach to the question of how to best organize the next security operations model, it is often effective to start with a top-down approach involving executives to establish a common aspiration and enable the broader transformation.

The four principles identified below are distilled from the lessons learned during many security transformation journeys.

1. Define Your Goals Clearly

A cybersecurity transformation requires leaders to clearly articulate the goals and principles that are driving it. After aligning all involved parties on these goals, executives can prioritize the work to be done.

Large organizations will have many items on their agenda, so it’s vital for management to agree on what comes first according to the principles. Moreover, this clarity helps middle management become a sponsor as well, enabling deeper, better-managed initiatives that harness the full potential of all available resources.

2. Build a Strong Security Culture

A strong security culture is the foundation of an effective operating model. However, this kind of mindset requires more than just the occasional security awareness training. To ensure every single employee sees security as an intrinsic part of their responsibilities, it’s necessary to build and maintain a security culture up, down and across all levels of the organization.

Using language accessible to all parties, provide clarity around security operations. Promote it as an enabling presence that protects the business and its employees rather than as a barrier that imposes restrictions on business.

3. Create an Adaptive Organization

When the security operations team works on an island, with no connection to cross-functional business strategy, the results of their work have limited impact. Imagine the vulnerabilities created by a large IT project with no involvement or oversight from the security team.

Security should be integrated into all processes from the ground up rather than as an afterthought to the main objective. Although there’s no specific organizational model for adaptive security, creating interdepartmental teams that make integrated decisions to protect corporate information and assets is paramount. Companies achieve their goals more quickly and efficiently by joining forces rather than making fragmented, piecemeal efforts across the enterprise.

4. Partner to Strengthen Readiness and Resilience

It’s no longer possible to succeed alone. The role of many cybersecurity firms has evolved from a provider of technology to, in many cases, a key member of the executive team.

Many companies require a trusted partner to guide their security operations centers (SOC) through their security transformation journey and advise them in day-to-day security and threat operations. Sourcing best-in-class capabilities from partners not only allows an organization to grow with less capital, but also enables it to pursue innovation through collaboration.

Don’t Wait for Threats to Come to You

Boards and CEOs alike must reevaluate the security journey from end to end, as countless organizations in both the public and private sectors and across all industries have lost a lot due to security incidents. Transforming the old security operations model is crucial to unlocking cyber resilience capabilities that enable an organization to stay ahead in this ever-changing threat landscape.

Again, there’s no one set way to accomplish this transformation — multiple roads can lead to success. But making the right choices at the beginning of the journey is fundamental to achieving and sustaining business results.

It’s never too soon to start laying out a road map that fits your organization’s resources — people, processes, culture and technology — to set the stage for your next-generation security operations model.

More from CISO

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…