LATEST NEWS

DataBank Announces ~$2 Billion Equity Raise. Read the press release.

Get a Quote

Request a Quote

Tell us about your infrastructure requirements and how to reach you, and one of team members will be in touch shortly.

Schedule a Tour

Tour Our Facilities

Let us know which data center you'd like to visit and how to reach you, and one of team members will be in touch shortly.

Get a Quote

Request a Quote

Tell us about your infrastructure requirements and how to reach you, and one of team members will be in touch shortly.

Schedule a Tour

Tour Our Facilities

Let us know which data center you'd like to visit and how to reach you, and one of team members will be in touch shortly.

Get a Quote

Request a Quote

Tell us about your infrastructure requirements and how to reach you, and one of team members will be in touch shortly.

Schedule a Tour

Tour Our Facilities

Let us know which data center you'd like to visit and how to reach you, and one of team members will be in touch shortly.

Building a Strong Cybersecurity Roadmap: A New CISO’s Approach Using the Patterson Model
  • DataBank
  • Resources
  • Blog
  • Building a Strong Cybersecurity Roadmap: A New CISO’s Approach Using the Patterson Model
Building a Strong Cybersecurity Roadmap: A New CISO’s Approach Using the Patterson Model

Building a Strong Cybersecurity Roadmap: A New CISO’s Approach Using the Patterson Model

  • Updated on February 1, 2025
  • /
  • 9 min read

As a new or even current Chief Information Security Officer (CISO), one of the most critical tasks you will face is developing and maintaining a robust cybersecurity roadmap. This strategic plan guides the organization in addressing security risks, evolving compliance requirements, and emerging threats. Building this roadmap, however, is no easy feat. It requires in-depth collaboration with the security team and cross-functional engagement across the organization. A structured approach like the Patterson model, which helps assess what’s right, wrong, missing, and confusing (RWMC), can provide the clarity and direction needed to succeed.

Understanding the Patterson Model

The Patterson model is a framework used for organizational analysis and problem-solving, helping leaders assess a situation from multiple perspectives. It revolves around four core questions:

  1. What is right? – Identifying strengths and existing effective measures.
  2. What is wrong? – Spotting weaknesses, inefficiencies, or problematic practices.
  3. What is missing? – Highlighting gaps, resources, or processes that should be in place.
  4. What is confusing? – Uncovering ambiguities, unclear roles, or overlapping responsibilities that might cause dysfunction.

For a CISO, this established and recognized model offers a comprehensive approach to evaluating the cybersecurity posture and working across various teams to develop a cybersecurity roadmap. Let’s break down how you can apply the Patterson model to succeed in this task.

Start With What Is Right

The first step is identifying what is working well in the security posture. There are likely several strengths already in place within the security infrastructure, personnel capabilities, and organizational policies. These strengths provide a foundation on which to build the cybersecurity roadmap. For example:

  • Mature Processes: Look for processes that have been effective over time, such as incident response protocols or vulnerability management programs that are consistently yielding results.
  • Strong Team Dynamics: A cohesive, high-performing security team is a significant asset. Identify the team’s strengths in collaboration, problem-solving, or technical capabilities.
  • Security Tools and Technologies: Existing investments in well-deployed security tools, like SIEM (Security Information and Event Management) platforms, firewall configurations, or endpoint protection solutions, can form part of the roadmap’s backbone.

Recognizing these strengths and working cross-functionally to identify them can help a CISO build collaborative equity, credibility, and momentum within the organization. Acknowledge what’s right the security team builds or enhances morale and communicates to leadership provides a positive foundation and fosters trust.

Address What Is Wrong

The next crucial step is pinpointing areas of concern—those elements that are either broken or not functioning as they should. These weaknesses pose risks to the organization’s security posture and need immediate attention. This aspect of the Patterson model encourages CISOs to evaluate:

  • Inefficient Processes: Are there outdated procedures that consume time without delivering value, such as manual log reviews that could be automated?
  • Skill Gaps: Is the security team lacking expertise in certain areas, such as cloud security, DevSecOps, or emerging threat intelligence capabilities
  • Technology Debt: Is there any reliance on legacy systems that are difficult to secure, or is the organization underinvesting in critical areas, such as endpoint detection or network segmentation?

When identifying what is wrong, a CISO must work closely with both the security team and other departments. Cross-functional collaboration with IT, engineering, and operations teams can uncover systemic issues that hinder security. For example, a lack of coordination between DevOps and the security team might be creating vulnerabilities in software deployments. By openly addressing these problems, the CISO can begin to turn weaknesses into opportunities for improvement.

Identify What Is Missing

The most challenging gaps are often those that are not immediately visible. This is where the Patterson model excels, prompting the CISO to look beyond the obvious and uncover missing components that could significantly impact the organization’s cybersecurity efforts. Key areas to explore include:

  • Policies and Procedures: Are there missing policies that are critical to compliance or security, such as a formal data classification policy or clear BYOD (Bring Your Own Device) guidelines?
  • Resources and Tools: Does the team have the tools they need to manage today’s sophisticated threats, or are they lacking next-generation firewalls, cloud-native security solutions, or advanced threat hunting capabilities?
  • Training and Development: Is the team receiving ongoing training to keep pace with industry changes and evolving threats? Are there development programs to enhance employee awareness and foster a security-first culture across the organization?

Engaging with cross-functional teams can provide clarity on what is missing, especially when considering how other departments perceive and implement security protocols. HR, for example, can offer insight into onboarding processes that may be missing critical security training, while the legal department can point out overlooked compliance requirements.

Clarify What Is Confusing

Lastly, the CISO must tackle areas that are confusing, as these often create inefficiencies and hinder the overall effectiveness of security efforts. Common sources of confusion include:

  • Unclear Roles and Responsibilities: Are there overlapping roles between the security team and IT, leading to miscommunication or delayed responses to security incidents?
  • Ambiguous Policies: Are policies written in a way that causes confusion among employees, such as vague instructions for reporting phishing attempts or unclear access control measures?
  • Competing Priorities: Are there conflicting priorities between different departments, such as sales pushing for faster product releases at the expense of security testing?

Clarifying what is confusing requires deep communication and collaboration across the organization. A CISO should engage not only the security team but also leadership and other departments. By facilitating cross-functional conversations, the CISO can ensure that everyone understands their role in maintaining cybersecurity and resolving any confusion around processes or priorities.

Throughout the application of the Patterson model, cross-functional collaboration is crucial. A successful cybersecurity roadmap is not developed in isolation; it is built through partnership with IT, legal, compliance, HR, and business units. Each department offers valuable insights into how security impacts their daily operations, and a new CISO must listen carefully to understand their concerns and challenges.

For example, IT may provide input on the technical feasibility of implementing new security solutions, while legal can shed light on upcoming regulatory changes. HR’s perspective on employee training and onboarding processes can reveal gaps in security awareness that need addressing.

You Learned a Lot and Worked Together – So What?

The process of developing a cybersecurity roadmap using the Patterson model does more than just identify strengths, weaknesses, gaps, and ambiguities in security. It provides a structured approach that can inform a comprehensive business plan, lead to clearer budgeting, address staffing needs, and ultimately deliver better business outcomes. Here’s how the process delivers meaningful impact to the organization.

A Comprehensive Business Plan

With the results of the assessment, a CISO should now build the baseline business plan that describes how security will operate and interactively work with and enhance the business. A detailed business plan will not only focuses on security but integrates it with the organization’s overall strategy. This includes establishing your vision, mission, and values, defining outcomes of security engagement with the business, defining products that the security team will offer both internal and external customers, and setting long-term goals like improving regulatory compliance, enhancing customer trust, and enabling secure digital transformation. The roadmap ensures that cybersecurity is treated as a business enabler, not just a compliance check or technical function.

More Clear and Better Budgeting

A key outcome of this process is more informed and transparent budgeting. As the CISO identifies what’s missing—such as critical tools, technologies, or personnel—it becomes easier to justify budget requests based on identified gaps, data, and risks. Likewise, knowing what is wrong allows the organization to allocate resources more effectively by addressing inefficiencies or replacing outdated technologies. With a clear understanding of strengths, weaknesses, and needs, leadership can make data-driven decisions about where to invest in cybersecurity, creating a balanced budget that supports both immediate needs and long-term objectives.

Addressing Staffing Needs

Your assessment will not only identify technological gaps but also deficiencies in staffing. For example, the CISO may identify that the security team lacks expertise in areas like cloud security or incident response because the business made a move to the cloud and security did not address the need. This clarity allows for precise workforce planning, whether it involves hiring new staff, offering targeted training, or reallocating responsibilities within existing teams. Additionally, identifying what is right within the team helps ensure that key personnel are supported and that their expertise is leveraged effectively.

Better Business Outcomes

Ultimately, the process leads to improved business outcomes by aligning cybersecurity efforts with the company’s strategic goals. A clear and well-communicated roadmap that properly assesses the organization allows for the acquisition of, allocation of, or implementation of resources that in-turn reduces the likelihood of security breaches, which can have devastating financial and reputational impacts. Moreover, it fosters cross-functional collaboration, making security a priority for all departments and enabling them to contribute to overall security practices. This alignment ensures that security initiatives support innovation, customer trust, and regulatory compliance, all of which drive business success.

A More Mature and Secure Environment

The roadmap developed doesn’t just address current needs; it sets the stage for a more mature and secure environment when the process described above becomes cyclical. This process should be conducted annually. As the roadmap is implemented and refined over time, the organization will develop a more proactive security posture, better equipped to respond to evolving threats while maintaining alignment with business goals. This maturation ensures that security is not only reactive but also anticipatory, creating an environment where cybersecurity becomes integral to the organization’s success.

Conclusion:

In summary, using the Patterson model to build the foundations of a cybersecurity roadmap empowers a CISO to craft a robust business plan, create clear budgeting processes, address staffing needs, improve business outcomes, and foster a more secure and mature organizational environment. This holistic approach bridges the gap between security and business, ensuring that both work hand-in-hand to achieve long-term success.


About the Author

Mark Houpt

Chief Information Security Officer

Mark serves as DataBank’s Chief Information Security Officer and is responsible for developing and maintaining the company’s security program road map and data center compliance programs. He brings over 30 years of extensive information security and information technology experience in a wide range of industries and institutions.

View all articles
Get Started

Get Started

Discover the DataBank Difference today:
Hybrid infrastructure solutions with boundless edge reach and a human touch.

Get A Quote

Request a Quote

Tell us about your infrastructure requirements and how to reach you, and one of the team members will be in touch.

Schedule a Tour

Tour Our Facilities

Let us know which data center you’d like to visit and how to reach you, and one of the team members will be in touch shortly.