This repository contains the security operating model I've developed and refined over several years leading security programs at scale-ups and mid-size companies. It started as internal documentation that I kept copying between roles, so I decided to consolidate it into something reusable.
The goal is pragmatic security governance that actually works in engineering-driven organizations, not compliance theater.
What this demonstrates:
- Strategic thinking: threat landscape tied to business context, not generic risk lists
- Prioritization discipline: risk scoring that drives resource allocation
- Execution focus: 90-day plans and 12-month roadmaps with measurable outcomes
- Governance that scales: exception handling, risk acceptance, security reviews
- Engineering alignment: security integrated into SDLC, not bolted on
- Honest retrospection: what failed, what we abandoned, and what we learned
Quick evaluation path:
Start here:
docs/01-north-star-and-principles.md # What we optimize for
docs/03-risk-prioritization.md # How we decide what matters
Then validate execution:
docs/06-kpis-and-metrics.md # How we measure progress
docs/08-exceptions-and-risk-acceptance.md # How we handle reality
Check what we learned the hard way:
docs/12-evolution-and-lessons-learned.md # Failures and abandoned approaches
docs/postmortems/ # Real incidents, anonymized
Finally, check compliance linkage:
mapping/iso27001-annexA-to-controls.md # ISO 27001 mapped to concrete controls
mapping/controls-to-repos.md # Controls mapped to implementation
|
|
||||||||||||||||||||
|
|
||||||||||||||||||||
|
|
I built this for a few reasons:
| Audience | What they get |
|---|---|
| Security leaders | A starting point that's faster than building from scratch |
| Engineering teams | Clear expectations and processes they can actually follow |
| Executives | Visibility into security priorities and progress |
| Auditors | Evidence of a functioning security management system |
This isn't meant to be deployed as-is. Every organization has different threats, risk appetite, and constraints. The value is in the structure and the thinking behind it, which you adapt to your context.
security-operating-model/
├── README.md # You are here
├── docs/ # Core strategic documents
│ ├── 00-evaluate-in-10min.md # Quick assessment guide
│ ├── 01-north-star-and-principles.md
│ ├── 02-threat-landscape.md
│ ├── 03-risk-prioritization.md
│ ├── 04-90-day-plan.md
│ ├── 05-12-month-roadmap.md
│ ├── 06-kpis-and-metrics.md
│ ├── 07-operating-model-and-raci.md
│ ├── 08-exceptions-and-risk-acceptance.md
│ ├── 09-security-review-process.md
│ ├── 10-incident-operating-loop.md
│ ├── 11-iso27001-in-practice.md
│ ├── 12-evolution-and-lessons-learned.md
│ ├── 13-supply-chain-security.md
│ └── postmortems/ # Anonymized incident learnings
│ └── PM-001-staging-database-exposure.md
├── templates/ # Reusable governance artifacts
│ ├── risk-register.csv
│ ├── risk-acceptance.md
│ ├── exception-request.md
│ ├── security-design-review.md
│ ├── supplier-security-questionnaire.md
│ ├── kpi-dashboard-spec.md
│ ├── decision-memo.md
│ └── executive-security-report.md
├── decision-memos/ # Example arbitration decisions
│ ├── DM-001-deny-public-exposure.md
│ ├── DM-002-secrets-management-standard.md
│ └── DM-003-exceptions-timebox.md
├── mapping/ # Compliance and implementation linkage
│ ├── iso27001-annexA-to-controls.md
│ └── controls-to-repos.md
└── LICENSE
| Document | Purpose |
|---|---|
| 00-evaluate-in-10min.md | Quick walkthrough for evaluators |
| 01-north-star-and-principles.md | Security mission and non-negotiables |
| 02-threat-landscape.md | Contextualized threat analysis |
| 03-risk-prioritization.md | Risk scoring methodology and register |
| 04-90-day-plan.md | Initial execution roadmap |
| 05-12-month-roadmap.md | Annual strategic objectives |
| 06-kpis-and-metrics.md | Security metrics that matter |
| 07-operating-model-and-raci.md | Organizational model and responsibilities |
| 08-exceptions-and-risk-acceptance.md | Governance for deviations |
| 09-security-review-process.md | Design review methodology |
| 10-incident-operating-loop.md | Incident response procedures |
| 11-iso27001-in-practice.md | Practical ISO 27001 implementation |
| 12-evolution-and-lessons-learned.md | Framework evolution, failures, and what we learned |
| 13-supply-chain-security.md | Dependency and build pipeline security |
These document real arbitration decisions with full context on trade-offs:
| Decision | Summary |
|---|---|
| DM-001 | Deny public exposure by default - policy-as-code enforcement |
| DM-002 | Secrets management standard - short-lived credentials, no long-lived keys |
| DM-003 | All exceptions are timeboxed - 90-day maximum with renewal process |
Anonymized incident postmortems that shaped our current practices:
| Incident | Key Lesson |
|---|---|
| PM-001 | Staging database exposed to internet - led to environment parity controls |
These are sanitized versions of real incidents. Names, dates, and identifying details have been changed, but the lessons are genuine.
| Standard | Coverage |
|---|---|
| ISO 27001:2022 | Annex A controls mapped to implementation |
| NIST CSF | Identify, Protect, Detect, Respond, Recover addressed |
| SOC 2 | Trust Service Criteria alignment for SaaS contexts |
| CIS Controls | Implementation Groups 1-2 covered |
The mapping/ directory contains detailed control mappings.
This is a governance framework, not a complete security program:
- Tool-specific configurations - Adapt to your stack (AWS/GCP/Azure, specific SIEM, etc.)
- Detailed runbooks - Incident playbooks need to match your infrastructure
- Penetration testing - Scope and methodology depend on your architecture
- Security awareness content - Training materials are organization-specific
- Vendor-specific integrations - SSO, MDM, EDR configs vary by product
The operating model tells you what to do and why. The how depends on your technology choices.
MIT. See LICENSE.