What Makes Up A Good Security Control?
I think this very basic question is something we all might take for granted. Or at very least overlook.
When we’re putting together our advanced security stacks or upgrading them annually (as you probably should be thinking about this time for 2023), we talk about tools. We also talk about technology. But do we really focus on the actual controls? And do we evaluate controls that help us reduce risks within our environments or that of our clients?
This is something I think needs some discussion. NOTE: I will go over some of my thoughts here, but if you really want to dive into controls, how to evaluate them and how to communicate about them to leadership teams and boardrooms, I suggest you check out the upcoming vCSO—that is, virtual Chief Security Officer— training event THIS November in Nashville (www.galacticscan.com/vcso).
Instead of focusing specifically on your security stack and the many controls it may or may not contain, I want to step back and at a higher level get some thought out around controls in general. I want you to start thinking about controls more so than just from the technical perspective and see them from an organizational level.
Why have controls? They help eliminate as much risk as possible. It’s as a simple as that.
Every decent control must possess certain qualities. I think we can all agree on this. Whether it is to make sure you’re not overspending on the finance side, delivering great service on the support side, protecting your data and that of your clients on the security side, or just making sure you have a happy and functional team, controls are in place to make sure trains move on the right tracks at the right time. And until we start thinking about this, we might fail to recognize the right controls within a cyber stack or within our processes to make sure our supported networks are in fact secure.
Here are 8 qualities that I think every control—including cybersecurity controls—must have. When you’re thinking about data security, I want you to start thinking about evaluating the quality of controls you have in place.
Feedback—feedback is critical to making sure things are working correctly. You can put as many controls into your systems as you’d like, but until you have concrete information showing you that system is working (and those controls are doing their part), you won’t be able to tell. If you implement security without having a way to test that it’s working, how valuable is it? Note: One way to show a layer of your stack is working is by performing a cyber stack analysis.
Objective—why is that control in place? If you are just implementing security for security’s sake, you probably will end up pissing off clients and wasting your time and money. What is the reason behind putting new controls in? Or when evaluating the controls you have, why are they there? It shouldn’t just be ‘because everyone has this’ or ‘that’s the way it’s been done for years.
Report—if you don’t report out the effectiveness of the control regularly, you probably won’t see if that control produces results that deviate from what you’re looking for. Is the system you have in place going to plan? If not, how can it be fixed? Without timely reporting, especially on deviations from what you expect, you may end up with a control that isn’t really doing all that much.
Forward-looking—often controls that report out results focus on reporting past results without any look into the future. If you are not projecting and predicting anything in advanced, you may be missing out on opportunities before they become major problems.
Flexibility- rigid controls typically are not very effective, especially as situations change or needs vary within an organization. As your team deals with different scenarios, a control may need to be flexible to accommodate a business need. That not only helps the organization perceive security as not just a rigid yes or no rule, but as a help in making the business better.
Economical—this is basic math. A control’s benefits must always be greater than its cost to the organization. This may be a tangible cost for a security tool, but also a cost in time or work missed in changing a process. If the organization cannot see the economical benefit, it might not be a good fit.
Simple—sophisticated controls never work. If the most common denominator of employees can’t understand a control, how are they going to follow it? The simpler the control, the better it is for the organization. Try to resolve ambiguities and confusion in your controls so that your entire team and user base can understand why it is in place.
Worker-focused—good controls focus on workers instead of simply the work. By seeing how a control integrates into a process and people, you create a means for everyone to work within the control effectively.
We all know that controls are extremely important. I challenge you to review some of your critical controls and evaluate whether they are good for the organization. This isn’t the easiest assignment and there are many ways to improve your controls. I will be taking a deep dive on this very topic at our next Partner-Exclusive advanced vCSO event in November. For more details visit www.galacticscan.com/vcso.
