System of Controls

When we think of all the bad things that could wrong for our organizations, it useful to think in terms of scenarios. It is from the analysis of scenarios that we develop various controls in response.

 

A control is anything that can influence the probability, frequency, or impact of an unwanted scenario. It can be administrative, physical, or technical in nature for the purpose of avoiding, deterring, resisting, or responding to the threat factors driving the loss scenario of concern. Controls come in many varieties, serving a wide range of risk management functions. For common technical controls such as firewalls, intrusion prevention systems, and web proxies, the interesting thing about security is to be effective and useful, there must be integrated coordination among the controls. Organizations have a multitude of controls, and the investment of time and money to implement and operate all of them can be daunting for many.

 

A system is a set of connected things or parts forming a complex whole. Managing cyber risk involves organizations coordinating a series of controls working together to accomplish the organization’s defined risk management objectives. That system needs to be intentionally designed.

 

The design elements of a security program include its functionality, means of operations, any approach to mitigating risk. You know the real-world impact on how well the system of controls operate. As all controls have some elements of interactions with each other and among each other, there are a lot of options to the types of control, the number of controls, and how we integrate all of them together. It is not possible to look at a single control and evaluate its mitigation efficiency against real-world threats. Rather it is the interaction among multiple controls that was specifically and intentionally designed to maximize the effectiveness of a wide range of threats being targeted towards our organizations.

 

Security must be an embedded function in enterprise architecture. The security function must be components of the technology architecture informed by real-world tactics, techniques, and procedures. Its function is to ensure overall and complete coverage of the technology infrastructure that has been designed to meet business needs. In many security programs the design of the program is guided primarily from outside regulatory and compliance requirements, not from internal-based requirements of design that are aligned with business needs. Design happens inside the architectural process, which must be intentional in the selection of controls to meet your specific risk mitigation needs.

​

The controls that we employ, from administrative to physical to technical controls, along with our own blue team tactics, techniques, and procedures that are informed by our approach to security to mitigate risk, need a centralized focus. We need to be able to map out all the relevant business loss scenarios against our digital infrastructure. We need to be able to visually see where our controls are placed and how they interact with each other. We must be able to validate the totality of controls are working in a way that delivers the intended residual level of loss exposure the business has signed off on.

​​

That is wat a system of controls, guided by business needs and aligned with other risk management efforts across the enterprise, delivers as value for the business.

​