What is A Security Target Operating Model?

As cliché as it may sound, in order to be successful, a business needs every department to work together as one to achieve its goals. For cyber security teams however, this has often been difficult as their goals are not usually in line with the general direction of the business. In order to achieve this companies must align both cyber security performance and its key company wide objectives which brings us to the topic at hand, Security Target Operating Models (STOMs). As explained by Security Operating Specialist Shanne Edwards, Security Target Operating Models ‘can be explained in terms of where it [the cyber security team] is today and where it needs to be over a three to five year period.’

How do Security Target Operating Models work?

You may be wondering exactly how a Security Target Operating Model works. It’s hard to give a definitive answer - the STOM should not be viewed as something that either works or doesn’t, but rather a fluid strategy which can be adjusted and altered depending on the direction the business is taking. Firstly, it’s crucial to scope all workflows and understand exactly what developments you expect to achieve in your cyber security team in the defined period of time (3 to 5 years). By understanding this, you are able to set more specific objectives and allocate the necessary budget, time and resources in order to manage the process. Just remember that creating a strategy might be simple, but implementing the plan is going to be much harder.

STOMs also shouldn’t be viewed as of relevance to only the cyber security team, as in practice they require the buy in of the entire senior leadership team. The board and executive leaders have to be able to understand, quantify and support your individual goals in order to help you reach your milestones and the security team’s objectives need to be aligned with the objectives of senior leaders. In order to deliver your STOM successfully, it needs to create a symbiotic relationship between the security team and core business operations. By demonstrating how one can support the other - for example showing how a specific revenue stream which requires a certain application to operate is underpinned by robust security measures to keep data confidential - you can help to mitigate your risks and demonstrate business compliance quickly and easily.

However, defining the Operating Model is just one part of the process. As soon as you have set clear objectives and obtained buy-in from all stakeholders, you need to start implementing measures based on your original transition plan. Often, this involves prioritising key activities and creating a security transformation program which improves or implements these new measures, with a clear starting point and end goal. Once you’ve started to act on these changes, it becomes easier to understand where your business is going and whether the cyber security measures enacted are going to achieve the outcomes anticipated.

Why are Security Target Operating Models important?


In an era of business transformation, change is a constant process for almost every organisation. Security teams need to constantly adapt to meet the new threats and risks every day and by implementing incremental changes over periods of time, you can help to redefine exactly what ‘cyber security’ means to your organisation. In more holistic terms, it helps to lay the groundwork for longer term business strategy as the individual goals of the Security Target Operating Model should align with the marketing and sales tactics deployed. By creating this vision for the future, your security team members can articulate what steps are

necessary to reach the end-point and also map the journey required to get there, creating clarity at every level of the business. Rather than focusing on short term knee-jerk actions, STOMs can help you create a robust long-term strategy to guide the business in both operational and security terms.


Security Target Operating Models are a great way for your cyber security team to align their activities towards the overall business objectives and can be critical for opening up essential dialogue between different teams and functions.

However, it’s important not to view a Security Target Operating Model as a rigid structure. As your business grows and changes, the cyber security requirements for your organisation will inevitably change too, and you will therefore need to adapt accordingly. This evolution should be viewed as positive and managed proactively to ensure the transition has the greatest impact whilst remaining within budget.

If you want to find out more about Security Target Operating Models, or to speak to a specialist who can help you understand how one could benefit your organisation, contact Via Resource today.

Alternatively, if you’d like to find out about a different strategy you can take to manage your cyber security with minimised risk and maximum assurance, read our previous blog.