The Security Management Canvas

Please provide the information below to view the online Verizon Payment Security Report.

Thank you.

You will soon receive an email with a link to confirm your access, or follow the link below.

Download this document

Thank you.

You may now close this message and continue to your article.

  • The Security Management Canvas (TSMC) is a template and strategic management framework that allows managers to visualize and assess all management activities on a single canvas. This one-page document template contains five boxes that represent the five most important and fundamental elements of security management. All information security activities that an organization undertakes are encapsulated. 

     

    The five pillars of The Security Management Canvas

    1. Security business model (SBM): Communicate a strategic SBM that ties all security management elements together to convey the value of GRC, and to secure the investment needed
    2. Security strategy: Communicate a refined security strategy with clear goals and objectives to all stakeholders, and that includes sustainable control environment effectiveness as an explicit objective or goal
    3. Security operating models (SOMs): Communicate the current and target SOMs in a set of visualized operational maps essential for effective management to help diagnose constraints and drive progress
    4. Security frameworks: Integrate supplemental programs and governance frameworks; avoid selective application and instead fully implement them to achieve their intended benefits
    5. Security program: Manage the program and supporting frameworks collectively as an integrated GRC program (the maturity and support of your security program is supported by the other elements of the canvas)

    We will briefly review the five components of TSMC (introduced on pages 15 to 17 of the 2020 PSR) and follow with an explanation of the two important but lesser-known elements: SBM and SOM.

  • The security business model

    The SBM is an overarching model that ties all the elements together to obtain business support for security strategy. This model defines the objectives and how core processes are structured to deliver maximum value, and supports how the organization’s frameworks and models are aligned. (We described this concept on page 12 of the 2020 PSR.) The SBM precedes all other security management activities—for good reason. It appears first because you need it to secure investment in the other activities, and it ties the other elements of the canvas together to present the perspective and input needed for decisions and activities in each of the four pillars that follow.

    Data security and compliance must be addressed at a strategic management level. For the strategy to get off the ground and succeed (which, in broad terms, means the achievement of sustainable control effectiveness across the control environment), it requires investment in resources. Resources include the time, budget and people to develop processes, capabilities and documentation. Unless a CISO can secure resources, time and efforts spent on developing a security strategy, improving the security operating model, and implementing security frameworks and programs will be and will remain an uphill battle that is neither sustainable nor effective. Securing investment from the business is an essential first step and requires a compelling case made by the CISO that clearly articulates the value proposition of security and compliance. Some CISOs need to make this case once a year or less, while others may need to do so more frequently. To do so with confidence requires consistency of quality input. It requires groundwork. This is why it’s so essential to have an up-to-date SBM strategy and SOM, as well as a target security operating model (TSOM).

    The SBM documents how the core elements of the security organization will serve the business and stakeholders to improve value. The typical components of the SBM include a documented description of the following:

    Value proposition

    Spells out the offer or promise that the security and compliance team is making about the projected outcomes and returns on investment to the mission stakeholder, and the core strategy for profitably doing business.

    Goals and objectives

    Provides strategic and program goals and objectives that support sustainable security control effectiveness and efficiency of operations.

    Strategy

    References the security and compliance strategy that defines the focus—the application of resources to achieve prioritized goals and objectives.

    Resources

    Describes the in-house and third-party resources and stakeholders with whom the organization will interact, highlighting the mission stakeholders. It includes a description of the security and compliance products or services, anticipated expenses and resulting financial model (income statement and balance sheet), taking into account size and growth ambitions and constraints.

    Architecture

    Documents the structure and organization of security and compliance in relation to the rest of the business, and references the selected operating model (such as POLISM, explained below), support and frameworks.

    Operations

    References the SOM and TSOM, and the organized and concerted activities that will make it possible for the organization to deliver on the strategy and value proposition.

    Culture

    The pattern of behaviors, beliefs, assumptions, attitudes and ways of doing things and their influences on security and compliance.

    Regulations

    Voluntary vs mandatory regulations and legislation; direct and indirect alternatives of compliance.

    Risk management

    Describes how the business culture, and the chosen risk management approach, mitigates the causes that introduce risk that impact the SBM. Defines how the operating model supports risk management, i.e., the execution of decisions based on the identification, evaluation and forecasting of possible events or circumstances that can have a negative influence on assets and compliance with regulations.

    Governance

    References the governance of security and compliance—the way an organization is directed and controlled to reach goals. Specifies the limits in which security and compliance teams operate. Implements processes to monitor performance, ensuring that goals and objectives are determined and defined, ascertaining that risks are managed appropriately and verifying that business resources are used responsibly.

    A well-documented and well-presented SBM is indispensable in helping to address the security program at the strategic or business level. The model allows security managers to gain a broad view of what is happening in the enterprise, enabling them to better treat information risk and improve decisions, while assisting senior management in meeting its goals. 

    The security strategy

    The corporate security strategy is ultimately concerned with formulating and communicating the careful selection and prioritization of defined goals and objectives and the allocation of resources toward their achievement. This, in turn, guides the approach to the design, execution and management (operation) of security and compliance program activities. Therefore, security strategy sits between the business model and operating model for a reason. The strategy defines the focus—the application of resources to achieve prioritized objectives. The operating model then makes it possible for the organization to deliver the strategy and value proposition. Security strategy is seldom effective without support from a SBM and SOM. Input from a documented security business model is essential to the development of an effective strategy. What is missing in many organizations is the communication of the business model for security and compliance to the stakeholders. Many security strategies are not supported by a sound security business model that ties the design, strategy and operations to the core processes, which in turn ties the people, processes and technology together. CISOs need to get better at defining the business model and their strategy, to explain to the board how data security and compliance generate value for the organization. Therefore, the strategy must be properly aligned with the security business model. This helps to secure needed investments and resources for long-term sustainability.

    Lack of this alignment is the first issue with strategy execution. The process of aligning an organization’s structure, resources, decisions and actions with its strategy and business environment is needed to support the achievement of strategic goals. Just having a strategy isn’t enough; by itself, it may have no real effect on the performance of your security program.

    Most organizations can and should improve their capability to design, integrate and execute security strategies. Reviewing strategies only one day per month is not sufficient to properly engage the right people on strategy design and execution. Organizations can benefit from spending a lot more time on strategic security-management capability development. This helps prevent strategic management from being an oversimplified process that results in prioritizing the wrong objectives: not knowing how to accurately determine which approach and controls will provide the best protection to support the robustness and resilience of the control environment.

    The security operating model

    The SOM is the coordinated collection of security capabilities, organizational structure, assets, people, technology, partnerships and governance used to effectively deliver the data security strategy. An operating model38 focuses on the delivery element of the business model and strategy. It’s the connective fiber between strategy and execution, and a visual representation of how an organization structures its processes to deliver value to its internal and external stakeholders.39 Operating models, which may also be called value chain maps, are created to help employees visualize and understand the role each part of an organization plays in meeting the needs of other components. There are common taxonomies to present the elements that make up an operating model in different ways, such as: 1) PPT = People, Process and Technology; or 2) POT = Process, Organization and Technology; or 3) POLISM = Processes, Organization, Locations, Information, Suppliers and Management systems. 

    These models support the diagnosis (what is causing the performance problems) and solutions (where, what and how to change). Operating models are useful tools for helping managers understand how changes to one part of the organization might impact the value to other parts. Therefore, the SOM is one of the tools a CISO and steering committee should use to help them formulate and execute the security strategy.

    • Well-defined operating models should include six elements (“POLISM”):40

      • Processes and activities.
        A clear specification of the work that needs to be done
      • Organization and people.
        The people doing the work and how they are organized
      • Locations, buildings and other assets.
        The places where the work is done and the equipment that supports the work
      • Information.
        The software applications and databases needed to support the work
      • Sourcing and partners.
        Those outside the organization supporting the work
      • Management systems.
        The planning and performance management of the work

       

  • The following adapted description of an operating model is defined by Hult Ashridge executive education:41

    • The core processes that are needed to create and deliver the products or services that provide data security and compliance to the stakeholders
    • The people needed to do the work, and the offer that will attract and retain these people
    • The organization structure, decision rights and accountabilities needed to govern and support the people
    • The information systems needed to execute and support these core processes
    • The processes needed to support the core processes, such as financial or Human Resources processes
    • The suppliers needed to support the processes, and the supplier agreements needed to keep the most important suppliers engaged
    • The calendar of management meetings and scorecard needed to run the organization
    • The cultural context that will help the people be effective
    • The locations, buildings and ambiance where the core and support processes will be executed

     

    For more information on the business model canvas and operating models, see the Verizon 2020 PSR, page 52.42

  • Security frameworks

    Security frameworks present a support guide for the security and compliance management system. The selected frameworks drive the structure of the security program and its projects. Many organizations do not fully implement the frameworks. Refer to page 55 of the 2020 PSR for details on a selection of control, program, risk and governance frameworks.

    Recognizing that data protection is not an IT issue, leadership should ensure that the enterprise develops, adopts and implements appropriate sets of security frameworks. It’s common for organizations to adopt more than one framework in order to meet various required governance, risk and compliance initiatives.

    Security program and projects

    The security and compliance management program delivers the outcomes through the collective oversight and management of projects. Establishing and maintaining management at a program level (as opposed to individual project management) helps to direct and ensure the achievement of long-term goals and objectives that can only be realized when they are collectively managed as a program. We devoted the 2018 PSR to reviewing the components and success factors of security management programs.

    In the goals section above, the importance of goals is reviewed. When formulating your security compliance goals, it’s very helpful to understand the scope and elements of security management—which is why The Security Management Canvas is introduced for perspective. It frames the scope of activities (incorporated as objectives) and the requirements for establishing the conditions needed to achieve your goal.

    • Framework types

      The four main types of security frameworks are:

      1. Control frameworks, such as NIST 800-53; CIS Controls (CSCs); PCI DSS with a catalog set of baseline security controls
      2. Program management frameworks, such as ISO 27001; NIST CSF
      3. Risk management frameworks, such as NIST 800-39, 800-37, 800-30; ISO 27005; FAIR
      4. Governance frameworks, such as ISO/IEC 27002, COBIT, COSO

      The PCI DSS is a security control framework. It is not a program, risk management or governance framework.

  • Systemic change for lasting success

    The approach that organizations take with security and compliance has to evolve to meet today’s sophisticated threats. To be prepared to meet these new requirements, organizations need to develop a rich, contextual picture outlining what they want in terms of security and compliance. The development of mature data security and compliance processes and capabilities needs to speed up—significantly.

    Several security and compliance issues that organizations suffer from today can be traced back to the origin of the PCI compliance regulation. During the first 10 years of PCI DSS (2004 to 2014), the need to comply with PCI DSS was perceived as a significant disruption for many organizations, and in many cases met with resistance. At the time, many organizations did not have well-developed models for their security and compliance into which they could simply integrate PCI DSS requirements. Many still do not have this capability today. They lack established GRC practices, where PCI compliance can be achieved by integrating the baseline set of PCI DSS controls into an existing mature control environment.

    Most organizations’ strategy and program management approaches seem to have evolved organically, without a deliberate and focused attempt to design a security and compliance operational model that includes crafted frameworks for governance and management. 

    During the first 10 years of PCI DSS, a high degree of training and education was needed merely to understand compliance requirements and interpret them correctly. A common approach was, and still is, for a project manager to be appointed and tasked with initiating and managing a PCI compliance project. That person then assigns tasks to people inside the organization and tracks progress.

    But project managers can quickly find themselves overwhelmed by the sheer volume of back-and-forth communication, the amount of time needed for team education and the pressure of keeping internal assessments, remediation and the development of compliance evidence on track. They are also often burdened with repeatedly evaluating compliance evidence, providing feedback, improving low-quality and insufficient evidence, etc. The need for automated compliance management and structured, ongoing scope reduction inevitably becomes obvious. 

    Though many organizations have improved their capabilities over time, relatively few have progressed to sufficiently mature PCI compliance management capabilities and processes.

    When first-order changes do not suffice

    Many security experts note that the superjacent and underlying reasons why organizations don’t achieve sustainable control effectiveness never seem to change. The same problems and challenges keep recurring, and the fixes don’t stick. Interventions that solve an immediate problem often cause other problems elsewhere in the system, or they don’t last. Within PCI compliance and control environments, multiple causes often contribute to the issues organizations experience. The conclusion is that first-order changes will not suffice, and higher-order changes are needed. 

    The introduction of PCI DSS v4.0, with its greater emphasis on objective-based, evidence-backed continuous improvement, may change this situation over the next decade. Organizations will need to make changes to improve their data security and compliance. Some of those changes will be minor and incremental; others will be major, requiring substantial effort and causing disruption. How change is approached can determine whether it is perceived as a positive, much-needed investment or as a harmful and disruptive imposition.

    While all improvements are changes, not all changes are improvements.

    What is the level of change that your organization wants versus the level of change needed?

    That depends on the goal that you are after.  

    • First-, second- and third-order changes to achieve continuous improvement

      Here, is a brief summary of the distinctions between first-, second- and third-order changes.

      First-order changes
      These changes work within an existing structure and include changes consistent with the currently existing, already present operations model. You could view it as tinkering with the system—doing more or less of something, making an existing process better or more accurate, and creating incremental changes. For example, making an existing PCI security process and component better or more accurate. First-order changes are easier to make because people are tempted to look at the symptoms and the single, immediate cause of a problem, rather than consider the system as a whole. Sometimes first-order changes work and the efficiency of the system improves. They are most likely to be successful where the problem has a single cause. However, implementing a new security and compliance strategy and achieving continuous improvement requires complex second- or third-order changes.

      Second-order changes
      Second-order thinking is an umbrella term for considering the downstream consequences of first-order thinking to the second, third and nth order. In the game of chess, this would be akin to thinking many steps ahead, considering the options for moving pieces on the board and how alternative actions could bring about better outcomes. Any misstep, such as going straight for the king, will have a ripple effect of consequences for the rest of the game.

      With first-order changes, every action has a consequence. In second order, every consequence has its own consequence. These changes are transformational and seek to alter the operations model. They involve seeing your control environment differently, challenging assumptions and working from a new and different viewpoint. They can be disruptive or discontinuous. Inevitably, they trigger new ways of doing things, evolution of values and goals, and often structural changes in the organization. In many organizations, second-order change attempts are designed to “phase in” updated security operations models and “phase out” others. Changing some aspect of a complex system always introduces second-order effects (consequences). When second-order changes are made, the secondary consequences may seem obvious, but systems are almost always more complex than expected. In an information security control environment, as in a game of chess, the possibility of space is huge. We can consider a simple scenario where we pretend that any change to a cardholder data environment (CDE) security control or control system has only three possible consequences. Thinking about consequences of consequences means we have to consider nine possibilities. Thinking one order higher grows our possibility space exponentially. In the real world, every action has many more possible consequences than three, so every consequence has even more consequences to consider. Second-order consequences include “unknown unknowns,” so there is no way to account for every possibility. There will always be unanticipated consequences, no matter how hard we try. But it is beneficial to recognize possible second- and third-order consequences early in the decision process, and implement changes accordingly.

      Third-order changes
      These changes operate from questions rather than answers—when an organization is willing to question and change its beliefs and culture. Continuous improvement is essential in a constantly evolving world, and this is even more important with the introduction of PCI DSS v4.0. Continuous improvement, by definition, is a process and not merely a state change. Depending on the implementation, a second-order change may still result in merely substituting one state for an improved one. However, an organization committed to continuous improvement requires third-order changes, which are process and systems changes, not merely a state change. A third-order change aims to help the organization’s members develop the capability and capacity to identify and effectively change their own strategy and operations model as they see fit, to achieve optimal performance and expected results. 

      While a second-order change requires a consultant (such as a QSA) to advocate a particular interpretation of requirements, events and downstream consequences, a third-order change requires the consultant to help the organization develop the ability (with the application of proven methods and techniques) to determine when second-order change is needed and then to help implement it. 

  • Thinking is hard. People do quite a lot to avoid it.


    Leadership skill requirements

    Wise security professionals, particularly CISOs and security steering committee members who know how to present themselves and their data security and compliance situation well, get buy-in for the investments they need to develop and advance their security strategy and programs. They obtain leverage when they know how to evaluate their security strategy and program strengths and communicate them well. These are leadership skills. Individuals and teams that fall short in presenting their success in managing data protection generally fall behind and lose opportunities.

    Maintaining up-to-date security business models and security operating models, and mapping out the 7 Constraints, are essential steps to presenting a clear, logical visualization of the control environment. They enable organizations to analyze data security compliance complexities and formulate a coherent, logical and tight strategy that addresses the root causes of poor security and compliance performance. Organizations that apply a structured, logical approach, with second- and third-order changes based on sound reasoning, will be able to define the steps needed to achieve their goals and create a rigid process to expose faulty assumptions and conflicts. In short, they’ll develop the ability to uncover and explain root causes and formulate solutions.

    The application value of TSMC

    CISOs and compliance program managers require clear visibility into the progress of their efforts, and how it relates to the accomplishment of objectives and the stated security and compliance goal. They are often guided (and in some cases misguided) by the dashboards, models and frameworks chosen to frame their view of the control environment and order the steps toward the goal. The methods applied to structure the workload significantly impact the strategy and program engineering and how the performance is measured. Remember the saying “What is measured gets done?” That includes the goals, related objectives and requirements for meeting those objectives. The frameworks, methods, and “dashboard metrics” applied to security and compliance are immensely important, yet many organizations don’t give this sufficient thought. A lack of research and insights in this area can make it difficult to determine the range of available options and define best-inclass approaches.

    CISOs require simple, effective methods to organize the most important facts into manageable structures and zero in on the ones that enable them to find answers and make sound decisions. This is why Verizon strives to advance research on management methods and promotes models, methods and techniques to simplify and optimize the management process, clarify options, and bring order, structure and repeatability. Our goal is to make the path, the processes and program performance transparent and predictable. 

    The Security Management Canvas (TSMC) enables teams and individuals to identify the main components and subentities or properties of security and compliance management in one overarching framework. This canvas view helps CISOs understand and clarify relationships among these entities. It reveals how the entities are integrated into a coherent whole, representing either an ideal type or an exemplary security strategy and program construction. The Canvas view enables individuals to grasp what would otherwise be an overwhelming flow of seemingly disjointed objectives. Such frameworks are much needed, as individuals can process only a limited amount of information at any given time. The frameworks show which components of security management are essential, translating them into objectives and activities and showing, by implication, which objectives to ignore or postpone. For example, TSMC helps teams focus attention on collective issues and ask pointed questions about how they can contribute. It facilitates the designing of strategies and programs, resulting in the ability to pivot to new concerns and diagnose the root causes of performance issues. And it explores how they can be resolved to improve security ROI and compliance.

    Focus on defining and documenting all five elements of your Security Management Canvas

    1. Clearly communicate your security business model—keep it strategic
    2. Clearly define and communicate your security strategy—goals and priorities should include sustainability and effectiveness objectives
    3. Clearly define and present your documented current and target security operating model
    4. Avoid selective application of security frameworks—fully implement them to achieve their benefit
    5. Make sure the maturity and support of your security program is underpinned by the other elements of the canvas

    Do not neglect these basic steps.