top of page

System of Controls

We need better cyber security! We need better Cyber Risk Management! We need better Risk Management! We need better Enterprise Risk Management!

Smart IT can help with a System of Controls, the next generation of cybersecurity and the future of work.

 

Risk never sleeps for business as cyber-attacks continue to mount against our organizations. The very technology infrastructure that enables new business innovation and creates market value is under constant threat from digital attacks.

 

To mitigate cyber risk from disrupting our organization’s achievement of its business goals, IT needs dynamic thinking and a systems approaches to better deal with today's challenges.

 

We need to think in terms of a "system of controls" to deliver to our organizations the type of modern risk management they need.

 

When we think of all the bad things that could wrong for our organizations, it useful to think in terms of scenarios. It is from the analysis of scenarios that we develop various controls in response.

 

A control is anything that can influence the probability, frequency, or impact of an unwanted scenario. It can be administrative, physical, or technical in nature for the purpose of avoiding, deterring, resisting, or responding to the threat factors driving the loss scenario of concern. Controls come in many varieties, serving a wide range of risk management functions. For common technical controls such as firewalls, intrusion prevention systems, and web proxies, the interesting thing about security is to be effective and useful, there must be integrated coordination among the controls. Organizations have a multitude of controls, and the investment of time and money to implement and operate all of them can be daunting for many.

 

A system is a set of connected things or parts forming a complex whole. Managing cyber risk involves organizations coordinating a series of controls working together to accomplish the organization’s defined risk management objectives. That system needs to be intentionally designed.

 

The design elements of a security program include its functionality, means of operations, any approach to mitigating risk. You know the real-world impact on how well the system of controls operate. As all controls have some elements of interactions with each other and among each other, there are a lot of options to the types of control, the number of controls, and how we integrate all of them together. It is not possible to look at a single control and evaluate its mitigation efficiency against real-world threats. Rather it is the interaction among multiple controls that was specifically and intentionally designed to maximize the effectiveness of a wide range of threats being targeted towards our organizations.

 

Security must be an embedded function in enterprise architecture. The security function must be components of the technology architecture informed by real-world tactics, techniques, and procedures. Its function is to ensure overall and complete coverage of the technology infrastructure that has been designed to meet business needs. In many security programs the design of the program is guided primarily from outside regulatory and compliance requirements, not from internal-based requirements of design that are aligned with business needs. Design happens inside the architectural process, which must be intentional in the selection of controls to meet your specific risk mitigation needs.

​

The controls that we employ, from administrative to physical to technical controls, along with our own blue team tactics, techniques, and procedures that are informed by our approach to security to mitigate risk, need a centralized focus. We need to be able to map out all the relevant business loss scenarios against our digital infrastructure. We need to be able to visually see where our controls are placed and how they interact with each other. We must be able to validate the totality of controls are working in a way that delivers the intended residual level of loss exposure the business has signed off on.

​​

That is wat a system of controls, guided by business needs and aligned with other risk management efforts across the enterprise, delivers as value for the business.

​

This book lays the foundation for a transformative journey for IT to re-imagine their cyber security program through the lens of systems thinking in the context of risk management.

​

Order from Amazon Today

Book Cover_edited_edited.jpg

© 2025 by Vision Park Media

bottom of page