Security Target Operating Models and why every Organisation needs one – An interview with Shanne Edwards

Shanne Edwards is a Senior Advisor within the Risk Management team at NCC group. Having previously worked with Pearson and Vodafone, he has delivered significant security improvements worldwide to ensure compliance in some of the biggest businesses in the finance sector. Considered an expert ‘Agent of Change’, he’s always happy to help any business grow, expand and improve. The Cyber Leader’s Network spoke to Shanne to discuss:

  • What does the future of cyber security look like?
  • How the Internet of Things is changing information security forever
  • Why every successful cyber security team needs a Security Target Operating Model.

WATCH THE FULL INTERVIEW BELOW:

1) What is the biggest problem facing cyber security in 2019?

2) Do you think that there is a general lack of training when bringing people into cyber security?

3) How has cyber security changed in the last five years?

4) Do you think cyber security firms do enough to train her staff?

5) Do you think cyber security firms do enough to retain their staff?

6) What do you think will be the biggest risk in cyber security in the future?

7) How do you think we can secure the Internet of Things moving forwards?

8) Do you think there is enough awareness in the market with people buying these products?

9) What is the most common mistake you see organisations making, in relation to cyber security?

10) In your opinion, what is the best way to encourage someone to enter the cyber security industry?

11) In your opinion, what are the top priorities, both strategic and tactical, for an organisation in order to address cyber security challenges?

12) How do you see privacy impacting cyber security in the future?

13) What is a Security Target Operating Model?

14) Why is it important for organisations to have a Security Target Operating Model?

15) What is required to implement a Security Target Operating Model?

16) What makes a good Security Target Operating Model?

17) How do you get Senior stakeholders to buy into your Security Target Operating Model?

18) What is the biggest benefit of a Security Target Operating Model?

19) Does a Security Target Operating Model have an impact towards resourcing and people?

20) What are the key things to do after defining your Security Target Operating Model?

21) Where do you think most people fail when trying to deliver against a Security Target Operating Model?


1) What is the biggest problem facing cyber security in 2019?

‘So I think the skill shortage is definitely one of the top things that’s on many senior exec’s agenda, with regards to the challenges of cyber today. I think there’s a lot of demand essentially for cyber professionals, there’s a shortage of people coming through into the market place and also there’s sometimes challenges in terms of the types of skills that they have and how convertible they are to the new challenges and new attack vectors and threats that we see arriving within the enterprise. There’s a bit of a skills mismatch, there’s a shortage of people, and we need to kind of work with that, in terms of how do we take it forward: how do we get better population of the vacancies that are out there, and how do we actually bring people on from university or from apprenticeship schemes and into the industry so they’re not left unguided or too unfamiliar with the territory that they’re walking into.’


2) Do you think that there is a general lack of training when bringing people into cyber security?

‘There’s definitely a need to be more structured about how people will come into the organisation and into the industry itself. We can do more around the grading of roles at certain levels and standardise the terms that are applied to different types of role, whether it’s a Soc Analysts, whether it’s the GRC professional. The industry can do a lot more to to really make that a bit more of a seamless experience for not only the candidates that are coming in to the marketplace, but also for the recruitment agencies and the clients that are out there. They need these people to come into the roles that they’ve got available.’


3) How has cyber security changed in the last five years?

‘What we’ve seen more recently is a big shift in terms of the operating environment for many organisations today. We’ve gone from traditional on-premise type environments to more cloud-focused and IOT-focused environments and they bring with a completely different set of challenges. I think a lot of organisations have prepared well for the traditional old-school world but haven’t really invested or thought too much about how they would secure the cloud or IOT type world. So it’s something that really needs to be focused upon is – how do we take that evolution away from the traditional on-prem and move towards more cloud and the emerging technologies that we’re seeing come through today.’


4) Do you think cyber security firms do enough to train her staff?

‘The simple answer is there’s always more that can be done. There’s still an appetite for people to learn more. There’s always the balance of doing the operational day-to-day work, aside from advancing their own skillsets and being able to invest some time into that, but we need to strike a balance. The threat landscape is evolving, it’s changing on a daily basis and we see new attack vectors and new exploits coming through all the time, so we really need the people to be upskilled consistently and constantly to be able to deal with those threats as they come in.’


5) Do you think cyber security firms do enough to retain their staff?

‘Now in this, there’s certainly a lot more that can be done around retention. A lot of it is really just making sure that your security team are actually engaged with what goes on in the business. They understand what the objectives are and what the vision is for the future of the business so they can feel they’re playing more of a role in protecting the personal data or intellectual property of the organisation itself. So there’s definitely a need for people to start to understand more about why they do the things that they do.’


6) What do you think will be the biggest risk in cyber security in the future?

‘I mentioned the Internet of Things, it’s something that I’m quite interested in and quite passionate about. We see these billions and billions of devices and equipment come on to the internet and start to interact more with people’s lives, whether it’s connected cars or whether it’s smart home devices, it just opens up the attack surface to a much wider plane of exploits. We have to be really focused and figure out how we’re going to tackle the challenges that’ll be coming forward with IOT and with the convergence of cloud wrapped around that as well.’


7) How do you think we can secure the Internet of Things moving forwards?

‘Standardisation is one of many ways in which we can try to make sure that the risks associated with IOT equipment that’s coming out from the various suppliers and vendors is some is contained and regulated from a risk perspective at least. Looking at some form of standardisation, compliance regulation – call it what you will – and then try to control that in a way that is practicable and meaningful, just to make sure that we don’t necessarily just let every device, every manufacturer come onto the market in terms of a new whiz-bang pop type thing that’s coming on. We actually make sure we’ve got at least that preliminary basic measures covered in terms of data privacy, in terms of ensuring that they’re not susceptible to malware, making sure we’ve got some visibility of whether there’s the ability to log and monitor the activity that’s going on with these devices. There’s many different things that we can try and get the supply chain, get the vendors to engage with, to make sure that privacy and security is built into these devices by design from the very start. It’s going to take some time to enable that but it’s something we should strive to achieve as an industry.’


8) Do you think there is enough awareness in the market with people buying these products?

‘No definitely not. You can see that there’s more that’s been done though in terms of making sure that people are aware of the various risks and the various individual suppliers that have challenges with some of the services, and some of the products that they supply. There’s a lot more that need to be done in terms of raising general awareness around why these things are important. What types of data personal data that could be leaked by virtue of using these services, yes, they’re great in terms of bringing added features to our lives and making life a whole lot simpler but there also comes with risk. I think if people were more aware of that in terms of what they were actually potentially exposing themselves to, then they might think again in terms of how they actually approach them, make sure configuration is appropriate, make sure the use is appropriate, and just to actually make it more secure.’


9) What is the most common mistake you see organisations making, in relation to cyber security?

‘It’s really about communication and how they actually explain and express what it is that cyber represents and what the security team does essentially and to support the objectives of the organisation. Certainly having some form of understanding, some visibility of how security aligns essentially to the objectives of the business. it’s really important and it’s something that we don’t do so well as a security community, but so that we need to engage with a lot more, in terms of being able to express that clearly.’


10) In your opinion, what is the best way to encourage someone to enter the cyber security industry?

‘I’m a futurist by heart, so getting people to think about what the next big thing is going to be, what the next solution will be well, what the next environment might look like and get them excited and enthused around playing some role in that from a security perspective. Whether it’s looking at privacy issues, whether it’s looking at security controls, and monitoring or forensics and how you respond to incidents associated with new technologies. That could all change in the next 10 to 15 years, and we need that younger generation to start to get engaged, to think about the future and what role the security team will play in that and hopefully we’ll get excited by seeing those changes in technology, and making sure that we bring security on the journey with them as part of that approach.’


11) In your opinion, what are the top priorities, both strategic and tactical, for an organisation in order to address cyber security challenges?

‘In today’s world where we have a notion, a shadow of a perimeter, tactically we just need to confirm that what we do have within the bounds of the enterprise environment is secure. Commonly, I’ve worked a number of organisations that perhaps have seen that over the years they haven’t invested so well in security, but focused on functionality and that means that the environment has grown to the point that they don’t necessarily know where everything is, and what the status of everything is across the organisation. Doing that kind of initial assessment as to actually “Can I sleep properly at night, knowing that my environment is secure, but I’m not leaking basic credentials out of the internet, that I’m not releasing sensitive data, exposing sensitive data through a service or website that I run.” Getting that basic kind of tactical understanding of what’s really going on in the environment is crucial, but also then looking at the strategic view, is forming that vision of whether I need to be in the next three years, the next five years, where’s the organisation going, where do I need to focus my efforts in terms of security, and being able to put my strategic hat on and start to think about the future, whether it’s looking at the general digitalisation of the enterprise; whether it’s looking at cloud migrations or other new technologies, IOT and building in capabilities and forward planning to deal with that. There’s lots of different technologies and lots of different controls that can be put in place both in terms of people process and technology, but it really about forming a rounded view as to how you’re going to get to that target state in the next three to five years, and make sure that you can head off any nasty risks or surprises that are coming down the line.’


12) How do you see privacy impacting cyber security in the future?

‘We saw the advent of GDPR last year on the 25th of May 2018, and with that, we get the convergence essentially of privacy and the rights of the individual data subjects, and the various controls that are prescribed in terms of how they should be protected. I think in the future we’ll see a closer convergence of how those two principles come together in one consolidated way. I think perhaps at the moment, we see a tendency still to treat the two camps quite separately and we have a cyber security profession and role there and we see the privacy and the legal side over here, and we are getting closer but I think we’re going to see a much closer knitting of those two frameworks coming together and so that we do have perhaps lawyers that are cyber security specialists and similarly, we have cybersecurity specialists that become legally qualified and legally competent in those areas. I think it will see a much closer convergence to the two domains over time.’


13) What is a Security Target Operating Model?

‘A Security Target Operating Model allows the security team to describe how it supports the business in terms of alignment of objectives, so really it’s a vehicle by which the strategy that the security team can be explained usually in terms of where it is today and where it needs to be over a three to five year period.’


14) Why is it important for organisations to have a Security Target Operating Model?

‘I think a lot of organisations today are going through change in many ways, and it’s important that the security team can redefine what their incremental and step-change activities are across an investment period of three to five-year period of change. I think you see a lot of organisations that do good stuff in terms of tactical things but they’re not really thinking about the bigger picture, and the strategy that needs to be explained to those that are going to be affected by the changes that are put in place. That’s one of the reasons why it’s really important to be articulate about what the vision is for the security team in the future, and also to describe what steps are necessary in order to take you on that journey to get to the end point that you have envisioned.’


15) What is required to implement a Security Target Operating Model?

‘Implementation is a big part of the process obviously. The setting of a strategy is almost the easier part, but actually implementing it takes a lot of effort and a lot of structure in terms of delivery. Defining the scoping of individual workstreams associated with the change activities and actually converting on those, actually being able to deliver against those objectives that have been set, it’s an important part of it. It takes a lot of effort, it takes a lot of commitment in terms of not only the CISO team or the security team themselves buying into it, but also getting the board and Ex-Co level of leadership input and support to the objectives they’re being set up.’


16) What makes a good Security Target Operating Model?

‘So, there’s a number of different component parts that make up the Security Target Operating Model. The first thing is to identify what the drivers and influences are for your strategy going forward, so it might be that you need to examine the cyber threat landscape that you exist in. You might need to look at the key risks and some of the incidents that you’ve experienced over a period of time, but it’s starting to get an understanding of what is it that’s driving you and pushing you to put in place your strategy and to pursue a program of change. The second part of the Security Model looks at the framework, the storyboard that represents what it is the security team does to support the enterprise. It could be looking at the different functions and what roles they play and the dependencies between the various parties. It could be looking at GRC (The governance risk and compliance component of a security team) and how that relates to setting the policy and the governance activities, training and awareness, and how that then relates to the security architecture functions, so they would respond essentially to the risk that have been identified, the policies and standards that have been set from a GRC perspective. Then that would convert into a package of work, from security architectures defined in a blueprint or a design, into the delivery function, they would deliver on the obligations among the objectives that have been set out within the designs that traces back to the policies and the standards. That would then go into the operational world where the various controls would persist in terms of the operational lifecycle of a particular service or product whatever it might be, and they were do the heavy lifting essentially in terms of logging and monitoring and any additional controls that have been defined, and then finally looking at things like testing of validation so, how independently aware are we as to the effectiveness of the controls that are put in place. It could be a penetration test, it could be vulnerability scanning, it could be a number of different requirements, validation or compliance management activities that we would put into that area, and then obviously whenever we have gaps that are emerge in terms of those activities, then they all relate back to risk and so really we’re talking about a life cycle of risk and how we mitigate that threat those various phases of the security teams activities. We also then think about the need for a service catalogue. How do we present the capabilities that the security team offers to the enterprise? Often what we see is that that’s quite isolated and very few people know about what the security team actually do, but we need to open a shop window, we need to be very service-oriented in how we present the capabilities to the enterprise and that really talks to things like service-level agreements, looking at the coverage of the service itself, looking at the operational procedures and looking at the various KPIs and SLA etc that fit into that. That’s a really important component also of the Target Operating Model. We also think about the organisational design that supports the services that we’re setting out and looks at the framework that we envisage for the organisation so how does that look in terms of reporting lines and owners of the various functions and the day-to-day management really at the team and then following on from that you have to look at the sizing of that team. How many people do we need to support the GRC function? What demand do we have for security architecture and the support they do? How many licenses and how big a seam platform do we need or a SOC do we need to do the security operations activities? All that thing in terms of sizing is important because it supports whether the success criteria essentially for the security team because if they have too much demand or not enough capacity then we’re kind of doomed to fail and we’re always trying to play catch-up in terms of what we can cover within the organisation. Then last but not least, for me in terms of the Target Operating Model is, what is the plan? How do we transition from where we are today to where we need to be in three to five years-time? What’s the effort required either internally or support external partners to actually get this thing mobilised and to make it work. Making the commitment is one thing but actually then delivering on it is another. For me, that transition plan is important because it essentially defines what security improvement program, or what security transformation program you may wish to initiate in order to address what you’ve set down within the Security Target Operating Model.’


17) How do you get Senior stakeholders to buy into your Security Target Operating Model?

‘I think a lot of it is down to alignment really. Alignment of objectives: so at the end of the day senior executives are largely focused on the importance of the success of the business, and that doesn’t always include an understanding of what goes on from a protection of personal data perspective, or protection of intellectual property perspective, and the availability of the services that their consumers consume. Effectively having a relationship that shows how security supports those tenants from the business objectives perspective, so what are the critical success factors for a particular web platform that the business runs in terms of how it relates to a specific revenue stream, then we would need to show how security underpins the availability of that particular platform, the confidentiality of the data that resides – it’s processed or transmitted essentially through the application itself, and just showing actually the relationship and the alignment between the objectives from a risk mitigation and compliance perspective versus the objectives of the business and how wants to drive forward on that front.’


18) What is the biggest benefit of a Security Target Operating Model?

‘Aside from the obvious capabilities that are going to be delivered through the transition plan, and the programs that are usually set upon the back of defining your Target Operating Model. The main benefit that we see is that this position of alignment between what the business needs to do and the objectives that are set out, versus the needs and the objectives of the security team, they’ve become more aligned. That’s the major benefit, that we start to see a better harmonisation of the relationship between security and the business then we can start to have meaningful conversations about things like the accountability of risk and the ownership of risk, because they’re based on a premise where we have that alignment better identified and structured. That’s one of the key benefits for me, seeing that alignment, and then turning it around really and seeing that relationship work a lot closer because people understand one another from a business perspective versus the security perspective.’


19) Does a Security Target Operating Model have an impact towards resourcing and people?

‘Certainly there is some effort required to enact, to move forward and to deliver against the Target Operating Model. From experience, that can involve either an internally-led activity team or it can bring in the need for external partners to become involved as well. I think certainly some organisations that try and balance both the day-to-day operational world versus delivering something that’s really critical and quite strategic you important can become a bit of a challenge, they get kind of drawn back into the operational activities too much and therefore the strategic and long review suffers and therefore you never really progress to a better place because you constantly have to work on the operational workload. It’s not an easy thing to do. My recommendation is the you need to create a hybrid model.’


20) What are the key things to do after defining your Security Target Operating Model?

‘With so many objectives set at that point with so much work essentially ahead of you in terms of improvement either incremental, step change, the sensible thing is to initiate a program of work that starts to track the transition plan that you’ve set out, within the Target Operating Model. That usually forms a security improvement program or a security transformation program where you’d stand up a number of key work-strings by the tactical and/or strategic with some prioritisation around the things that really matter to the enterprise and actually start to work on delivering that in a program-oriented way. At the end of the day, a program is something with a defined start to find a finish and so for me this is perfect in terms of the relationship between defining your Target Operating Model and actually working on a program of work actually delivers the benefits and the outcomes you’re seeking to achieve. That’s a natural next step really, get the support of the board in terms of what you’re defining and what’s been set out by where the Target Operating Model that actually executes them and deliver the benefits and deliver all of the controls and the mitigating capabilities that have been set out in the Target Operating Model itself.’


21) Where do you think most people fail when trying to deliver against a Security Target Operating Model?

‘Again, I think it’s about trying to keep the day-to-day activities on the go, on the boil, dealing with the events and the incidents, and the hot potatoes essentially that come through every day, but not really having the time, the capacity, the bandwidth to focus on the strategic view in the longer term. That’s typically where I see a lot programs either not necessarily fail, but don’t achieve the things that they set out which they need to achieve, or they find they’re struggling against the timescales or they are over-spending on the budget or they’re not able to commit the resources to these activities because they haven’t thought about the impact of doing both of these things in parallel, the operational activities and the change activity that is wrapped around security transformation.’