Designing a target operating model for an organisation is a complex activity. It is important, therefore, to keep it simple initially. At a very high, level, I suggest CISOs start with three key capabilities:
- Governance, Risk and Compliance
- Security Architecture
- Security Operations
These can then be decomposed further, tailoring to the needs of your particular organisation. Understand how each domain interacts with and supports the others, capturing key outcomes and dependencies for each function.
Key security capabilities are supported by Leadership and Governance streams, including Security Strategy, Business Alignment, Integration, Oversight, Optimization, Finance, Security Culture, Program Management, Stakeholder Management and Reporting.
Business as usual activities required to keep the lights on are often neglected when capability uplift is prioritized. For this reason, I placed it in the centre of the diagram, emphasising the ongoing importance of providing consistent security service to your organisation.
The NIST Cybersecurity Framework functions at the intersections of domains aim to illustrate the collaborative nature of the security teams. It’s important to go beyond silos , ensuring frequent interaction with the business as well as within the security department.
Cyber Security Leadership 