Baseline Operating Model

Several readers asked me to send them a TLDR of the Security Operating Model and the Force Multiplying Security articles I posted. They also wanted to see if I could combine them to create a small guide that could be used.

I found this to be a great idea and the result is this simple baseline guide. It might change as I continue to extract the core of what I think should be the standard operating way for a modern organization.

The Baseline Operating Model

What

Security is not here to:

Perform every security action needed to secure the organization.

Block or dictate what can and can't be done.

Stop forward momentum.

Security is here to:

Help secure the organization by force multiplying.

How

Force Multiplying

Security writes guidelines and policies that serve as a Northstar for the company and its teams.

Security creates automation and self served processes so people can do security themselves, it's their obligation to secure their areas of responsibility.

Security creates guardrails to make sure the standard and minimum baselines are maintained within the confines of the guidelines and policies.

Security educates other organizations and teams, and works with them so they have the needed information and tools to secure their domain.

Problem Handling

Security enforces the guidelines and policies whenever an action generates security risk.

Security escalates problems and risk as soon as there is minimal friction so solutions can be found by engaging the right people in a leadership role.

Note: This is part of The Laws Of Security website.