Security Operating Model
Dec 2018 - Updated Aug 2021
Introduction
Unless purposely designed to be simple and unobtrusive, security tends to become over-complicated, especially when people that are not part of the security organization are the ones utilizing security. There is a very clear need to rethink how security needs to be planned and executed because the more involved it is, the more people will try to bypass it altogether.
So, as we think and design security solutions and processes, we must keep in mind the need to keep it simple, unobtrusive, and fluid, always asking ourselves: can I explain this solution simply, in a piece of paper? If the answer is no, then we need to rethink the solution.
Part of this complexity lies in how the security organization and its leaders plan and behave, often building a program that is too restrictive, without any feedback from the teams that would be on the receiving end of it, or, due to lack of prioritization, focusing on the issues that are not urgent.
This Security Operating Model provides a set of guidelines and principles that will enable a more fluid approach to security, allowing the program to be lighter and empowering the security leaders and their teams to build better integrated and automated security.
End Goal of Security
The goal of security is to become a force multiplier for the business, allowing it to succeed and grow while keeping its key assets protected and secured.
Effective security is simple, open, and automated. By simplifying and automating security we can focus on providing the right guardrails needed to keep the business running in a safe way, and by being open and transparent in our practices and communication, we begin the process of force multiplication, teaching security and trusting the teams to have the business needs and security in their minds as they design the next products.
But security begins with people. Technology and process complement the people, not replace them. We need to educate people, create simple processes, then implement technology. Pick the right people. Quality is better than quantity.
What's Expected From Leaders
All leaders in the security organization are expected to own their areas of responsibilities: leaders are ultimately responsible for all that happens in their teams. It is always the leader’s responsibility if something doesn’t work, and always the team’s success when they do.
Leaders are required to be independent in thinking, making decisions, and providing their teams with the direction and information they require to be successful. The teams come first.
Leaders are responsible for clearly explaining and prioritizing the goals and objectives to their teams (see The Team below). In order for this to happen, information must flow in all directions, enabling everyone under the leader, at the same level of the leader, and above the leader to have all the information needed to make decisions independently, and enabling them to complete the goals successfully.
Remember:
- When in doubt, ask questions. Always ask for information if it was not given, or was not clear
- Always give information, to the fullest extent possible, in a clear and concise way to all your subordinates, and your manager so they can all be successful
Try to consistently empower your team members to raise up and lead. Make sure they always have what they need to be successful.
Remember, our mission comes first, followed by the needs of the teams, and finally, the needs of the leader.
What's Expected From All the Security Organization Members
The security organization is a small team of teams. A bigger team composed of smaller, more capable teams, but the sum of all those efforts makes for a successful organization. As such, we need to support each other.
We do this by:
- Sharing information
- Asking questions
- Providing context and help when needed
- Being humble and understanding that we don’t know all
- Stepping up and becoming leaders when needed, and following when required
- Always searching for the best and simplest possible solution
Always strive for simple solutions and simple ways to communicate security issues. Always strive to work with the person in front of you to make them better at understanding security.
At the end of the day we are here to support a larger objective: secure and enable the business so it can continue to succeed. You must act decisively when needed, but always take into account the bigger picture.
The Team
Modern security organizations need to remain fast and light in order to adapt to the ever changing threat and technology landscapes that big companies operate in. The smaller and more fluid the team is, the more important each member’s role is, and the more room there is to collaborate instead of just manage or be managed.
Get Everyone On Board With The Team’s and Company’s Goals
It is extremely important to be specific and clear about the team’s goals, and the company’s objectives. Everyone in the security organization needs to be on the same page as we move ahead, modernizing the current security services and solutions.
Make those goals simple and easy to understand. Why? So there is no ambiguity. And if they need to change in order to adapt to new things, simple goals make it easy to explain why things are changing.
Let Each Team Be Free To Explore
Smaller teams require people to take on several roles at once, and this means taking on more responsibilities. For this to work well and not overwhelm the teams, autonomy is needed. The freedom to explore different solutions and each team’s own goals can help find the simplest and best ways, enabling a more successful team and creating motivation to further raise the bar on what they’re doing.
Automate And Self-Serve Whenever Possible
A small organization can make a big impact by taking advantage of automated processes, web tools that help automate more tasks, and a self-service approach to security. This frees the teams to tackle the more challenging security issues.
Build a Culture of Leaders
When the teams are small, with limited resources, it’s important to rely on the team’s professionalism and passion to keep the momentum forward and support each other. This means that each person in the organization must learn to lead and make decisions.
The virtue of small teams is that it’s easy to shape the culture teams operate on. So, shape that culture by leading and enabling freedom.
The Security Conversation
Everything we do needs to start with a simple conversation about security risk. By explaining what can go wrong and tie it to how the business can be impacted can break many walls.
Furthermore, the more we talk about security risk with people, technical or otherwise, the more we can teach them security. If they can begin to understand what can go wrong, even if it’s nothing else but a simple thought, then slowly but surely a larger culture of security can be built.
Begin each conversation with a clear communication of what the risks are. Follow the three steps below to help communicate those security risks:
1. Risk Understanding
Understand what can go wrong and explain it the simplest possible way. Make sure you tailor the explanation to the person in front of you. They might not understand security concepts, so adapt your style accordingly.
2. Attack Scenario
Provide a pragmatic example of how the risk can result from an actual attack. Whether the explanation includes highly technical details or simply a high level explanation of what bad actors can do, make sure the example is something that the person in front of you can relate to.
3. Business Impact
Explain what is the impact to the business if this risk becomes true. This could range from financial issues, to reputation and other issues. At the end of the day leadership will make decisions based on risk, so we need to enable that with better information.
In short, whether you are trying to help people fix a security vulnerability, assess a new feature for a product, understand access requirements, or any of the seemingly endless areas where security is involved, always form a good picture of security risk by asking what can go wrong, and then communicate that to the right stakeholders.
Think About Baselines
Visit the Principles and Laws, work on establishing baselines, and making sure to create a system to monitor and detect any deviation from that baseline.
Note: Make sure you are constantly testing and stressing the processes, services, and tools that make your baseline. Change what doesn't work quickly.
Top Five Efforts For A Solid Baseline
The top five things that have the most impact in making security better:
- Understanding of the threat landscape.
- Identity and access management (including PAM - Privileged Access Management)
- Vulnerability management
- Risk understanding
- Single source of truth
Understanding of The Threat Landscape
Understanding the attack surface we continue to project is one of the most importants aspects of securing this company. This will help us focus on the right priorities. It is important to understand what we need to protect and the threats affecting our industry, our networks and systems, and the entire collection of internal and external assets.
Identify and Access Management
Develop a rigorous and pervasive identity and access management program. This should cover the full range of organizational privileges across internal and external (supply chain) as well as human and non-human. Establish strong governance over the program and create processes to sustain controls.
Monitor and control privilege access via a privileged management program (PAM).
It is the simple (to state) but immensely challenging (to achieve) goals of the identify and (privilege) access management to make sure that:
- All subjects/systems are known, identified and authenticated.
- All assets are known
- Policies are defined for what subjects (or groups of subjects) with what attributes (or conditions) can access what assets with what privileges (or roles)
- That reality corresponds to policy i.e. known subjects/servers/assets correspond to discovered subjects/servers/assets
- There is a process to manage the meta-information of groups, roles, and rules such that the policy intent corresponds to enterprise risk mitigation goals
- There is a documented access recertification process and a management process to close any deltas detected and to apply adjustments to resolve those
Vulnerability Management
Operate a vulnerability management program that goes beyond basic patch management into configuration and architectural vulnerability discovery.
Vulnerability management must be viewed as a layered approach, each layer building on the other and in turn becoming more powerful as a risk mitigation approach. The layers are:
- Coverage and landscape, criticality ranking, and dependency mapping
- Vulnerabilities, flaws, and weaknesses discovery and remediation
- Configuration errors and flaws discovery and remediation
- Defining and enforcing design patterns (architecture best practices) across the entire environment and collection of products, focusing on constraints and compliance enforcement
Risk Understanding
Begin conversations with an understanding of what can go wrong. Calculate the initial risk and communicate it the simplest way possible. Once the risk is understood across all moving parts (people, systems, software, processes, etc), provide a way to mitigate it.
Supply chain risk management must be taken to the next level. Set up governance, risk assessment and remediation for third parties and maybe even fourth or fifth parties.
Take into account also insider risks. Threats from previously trusted employees and contractors are increasing either as a result of disgruntlement or from coercion by bad actors. Therefore, create a program that focuses on blast radius reduction as the primary goal for insider threats mitigation. Make it harder to get to the crown jewels.
Single Source of Truth
Establish a place where all key data lives. This data will inform everything that security must know and be a source of identity, data sourcing and monitoring. This single source of truth must continuously be updated and contain inventories of all the data mentioned previously in order to help operational processes, software, and governance, and to detect discrepancies as fast as possible.
The Need For Transparency
In order for security to be successful it must partner with other teams and organizations. This partnership must be built around one fact: people don’t understand the need for security. Security, therefore, has to be easy to understand, transparent, and codified in a way that it can be automated as much as possible
For this to happen, transparency has to start with the security organization and from there be taught and explained across the entire company.
The Purpose of the Weekly Security Briefing
The Weekly Security Briefing is where transparency begins. The Briefing meetings are used to outline the objectives of the team, assess past performance, discuss any possible queries the team may have, and provide awareness of what’s in flight to the entire security organization. It is also an opportunity to communicate wider organizational messages to all team members.
The end goal of these meetings is to enable each member of the security team to have all the information they need to be able to make decisions. These decisions often need to be made rather quickly; relying on information flowing back and forth between managers, directors, and above can take time, so the more information is in the hands of the people to begin with, the better these people will be able to make decisions.
How Security Helps Force Multiply
Similar to the Weekly Security Briefings, there is a need to have security provide knowledge transfer and information to all people that can benefit from it. Enabling the business, senior leadership, engineers, and other key stakeholders to understand "what can go wrong" and factor that into their planning and solutioning will help create secure products, relying less and less on security products.
Small Teams Tactics
Security needs to remain small and efficient. For that, the following needs to happen:
- Streamline your intake process. Make it easy for people to approach the security organization and ask for help
- Integrate and automate. In order to focus on actual work and not managing intakes, tickets, and documents, enable automation and security integration into the different parts of the company. Force multiply!
- Use dashboards and metrics to keep track of potential issues. Create dashboards to detect potential problems, risks, or bottlenecks in the current controls and processes. Early detection of security and/or performance issues can help steer the teams in the right direction on time
- Understand dependencies. If the work depends on some other organization or process, it is key to understand whether those dependencies are slowing the teams down or providing the right information / actions. We can only move at the speed of our dependencies
- Use time wisely. If we want our teams to be more effective, we need to understand where the efforts are being put on, so we can detect bottlenecks and lack of efficiency. That’s where time tracking comes in. Better effort allocation is key for keeping small teams successful
- Loop and reevaluate. Take time often to perform a self assessment and see whether our processes and services are working at the level we were expecting. Early changes can often mean success in projects
- Be realistic about workloads and priorities. It’s easy to get overwhelmed by the number of tasks and projects that need to be done. One of the best things we can all do to avoid burnouts and lack of productivity is to ensure we can properly prioritize the work and be realistic about the workloads demanded. We can say “no”
To Finish
Modern security is often complex and seen as a blocker, especially in big companies. Security professionals need to look at a myriad of different technologies brought by developers seeking the cutting edge of current offerings, or by older processes left behind by past products. At best the different approaches to technology work together, but a lot of times they do not. Add to this the complex environment that needs to be defended, assessed, threat modeled, and defended again, and it’s easy to see how big companies - and some smaller ones as well - would try to grow their security organizations.
We must remove complexity out of security by providing simpler processes and an automated choice that best serves the person using it.
Focus on simple and clear, using the best practices and direction described above.