The Security Collective

View Original

Episode #46 Effective security operating models with Samm Macleod

See this content in the original post

“My advice on any security operating model is for the failures [of the model] to be dealt with quickly. Revise early”

— Samm Macleod

Samm MacLeod is an experienced CISO and Information Security Leader with experience across Financial Services, Retail, High Tech, Utilities and the Energy sectors. With more than 20 years’ experience in technology risk management, security, and governance, Samm is an accomplished professional holding positions on executive boards relating to critical infrastructure (AEMO Industry Board), and Information Security education and research (Deakin Executive Board).   

She has extensive experience developing Information Security Strategies and Operating Models; has built effective award winning security teams (winner ‘AISA Cybersecurity Team on the Year’, 2019). Having run a number of large Cybersecurity programs, Samm has experience helping business to imbed effective security practices.  

Samm’s subject matter expertise comes from an Honours degree in Technology and a number of Professional certifications.  She is an industry advisor in Information Security, Speaker, and advocate for Women in Technology.  

In this episode Samm and I discuss why it is important to have effective Security Operating Models. We cover how they can be different to an org chart, why it's important to be flexible when creating one, how to measure its effectiveness, and why sometimes outsourcing their creation can be best for your business.

Links:

Time Stamps:

  • 00:47  How do you define security operating models?

  • 01:04 “It's the component that will help drive the security team to operational excellence”

  • 01:43  Why it’s important to anchor your security operating model to a strategy

  • 02:56  The risk of thinking a operating model is the same as an org chart

  • 04:58 “…so they go hand in hand, but they are different”

  • 05:14  What's the minimum you would need in an operating model to make it function against the strategy?

  • 07:28  Other than not being effectively implement, what else could make an operating model fail?

  • 11:17  “make sure failures are dealt with quickly, because there will always be some”

  • 11:23  What to do if you realise the operating model is not working?

  • 13:37  How do you measure if an operating model has been successful?

  • 15:20 “a good operating model breaks down those barriers”

  • 15:54  Why outsourcing the operating model can ensure it’s delivered effectively, efficiently and within budget.

  • 20:07 “…you've got to weigh up a few of those things and figure out which way is the best way for you”