Physical distancing mandates – which have characterized the past 18 months – have precipitated a sprint towards digital-first business strategies. With this, many organizations achieved previously unthinkable transformation velocities. With the developed world now returning to in-person activities, there is no indication of abatement in the pace of digitization. This presents a challenge to CISOs: how do they build elasticity and scalability into their security programs in a way that enables them to continue adapting to evolving business requirements? Many CISOs are rising to this challenge through transforming their security operating models.
Traditional security operating models lack the maturity and agility to defend against the extreme and highly dynamic cyber threat landscape. Getting the security operating model ‘right’ therefore must remain a key priority for business leaders. Having supported numerous organizations successfully implement a security target operating model KPMG has developed the following insights:
- Security operating models must be able to flex based on unexpected changes in the business environment or threat landscape.
An unfortunate inevitability: all organizations should expect to incur a major security incident at least biennially. Over the course of a two-year cycle the threat landscape changes unrecognizably. Organizations need dynamic operating models which continuously right-size to reflect live changes in risk profile and appetite. Security organizations need the ability to continuously redefine their priorities based on real-time threat assessments. Security services delivery models need to have capacity to readily incorporate shifts in focus.
- Coordinating security incident response teams is the biggest challenge for many organizations. This should be a key priority and a litmus test for security operating model maturity.
Typical points of miscoordination in security incident response processes include SOC detection rules which don’t include use cases based on latest threat intelligence and CMDBs which are incomplete, making it difficult to determine population of impacted assets. This challenge is compounded with the increase in exposure from supply chains – meaning that coordination is required beyond the organization’s perimeter. Without a next generation security incident response capability that can coordinate across disparate teams, organizations will be unable to respond effectively to an inevitable security incident. This may result in irreparable damage to customer trust.
- Aligning capabilities that have historically been considered discrete is critical to defending against the next generation of threats.
Historically, organizations have developed artificial boundaries partitioning domains such as fraud, authentication, financial crime, and cybersecurity. CISOs can uplift the return on security investment by multiple factors when they uplift capability interoperability across disparate security domains. A more comprehensive view on adjacent security risks enables improved accuracy of detection capabilities. Consistency in governance, processes and preventive measures streamlines operations and reduces the overlap of functions to drive efficiencies.
- A lack of executive sponsorship and insufficient oversight results in reprioritization and failed initiatives.
Gaps in the interaction model between cyber strategy teams and executive committees, as well as second and third lines of defense, will stymie security target operating model implementation. Strategic alignment between security and the business, technology, risk, and audit organizations is imperative for sustainable security program success. A transparent interaction model across the governance layer, through executive-oriented metrics and reporting, enables this.
There should be cause for optimism in that executive leadership clearly recognize the importance of investing in security. The KPMG 2021 CEO Outlook Survey found that cyber security risk is the #1 threat to growth. Against this backdrop, CISOs with strong Board engagement capabilities should be confident in requesting the investment required for security operating model transformation.