Getting Control of Security Controls
he effective deployment of technology depends on a business-level understanding of the organization. Technology on its own solves very few problems. However, when it is part of a comprehensive protection strategy, and truly integrated, operationalized, and measured, then it can deliver positive return on investment. Historically security controls provide a cautionary example.
Whether you insource, outsource, or have blended security operations, it doesn’t change the critical fact that control management, to be seen positively by business leadership, has to answer the following:
- How much protection did we actually achieve?
- Is this level reasonable?
- Did we get this at a reasonable cost?
Rather than have a comprehensive business plan for all aspects of the security control, from goals and strategy, to design, operational, and business plan, to measurement and reporting, too many organizations think of each control as technology first, a firewall or vulnerability scanner, for example. As a result, management is seen as tactical and not strategic, and that can result in misalignment which leads to a host of other problems.
Having spent time on the vendor side, we are partially guilty of creating this ‘technology first’ dogma because we sold technologies as ‘solutions’. As we learned from repeated cases, customers usually had a challenging time achieving strong value from these technology ‘solutions’.
Seen as a tactical technology first, sometimes even a “check-the-box” initiatives, security controls are often in the hands of security managers with technical backgrounds. Therefore, it is not surprising that controls overemphasize technical security resources and tasks to the detriment of classic business management and integration capabilities.
Some controls are under-invested, others over-invested, and some don’t exist at all. Worse still, there is insufficient integration between the controls, which fails to provide a unified ecosystem of protection across the entire environment.
This imbalance dramatically impacts the overall performance of security controls – both in terms of protection results and cost-effectiveness. These realities can expose the organization to greater risk than expected and overall poor investment performance. Furthermore, this reinforces the businesses’ perception that security is a poor place for investment.
To explore this problem a little further, let’s dissect a security control into three dimensions:
- Security resources (e.g. people/skills, technology, partners/vendors) – the bulk of investment
- The day-to-day operations of ‘doing security’ (leveraging resources to achieve objectives, and integrating into a protection ecosystem)
- The background handling of business and political challenges, via management of goals and strategy, design, operational, and business plans, measurement, and reporting
Unfortunately, many organizations have these dimensions wildly out of balance, typically focusing on the security resources and attempting to gain something useful from via the day-to-day operations. However, the translation into business terminology, and business-related metrics and reporting is often a challenge and takes a back seat until it’s too late. This is why we so often see the CISO become the ‘fall guy’.
To greatly increase chances of success, these dimensions should be equally balanced, with initial focus on strategy and business case, then calibrating and scaling the programs people and technology while rolling out and optimizing the day to day security operations.
This imbalance is why you often hear that ‘security is a journey and not a destination’. You need to establish a destination, then go on your journey to achieve it. The greater the level of protection, the greater the cost.
Unfortunately, control shortcomings are often exposed as ‘immaturity’ during a proactive assessment, or far worse, the investigation following a breach. It’s not about a level of maturity against one’s peers or a popular security framework, security controls are meant fundamentally to be a conversion of investment into protection.
Understanding the implementation, integration, and at what level those controls can protect the most critical business assets is paramount.
A focus on technology first, or an imbalanced control implementation, doesn’t necessarily lead to greater protection – and certainly not cost-effectively. Rather than defense in depth, as has been a common moniker for two decades now, we see expense in depth and an inability of the business to truly gain confident and cost-effective control of their security risk with their security controls, and control ecosystems.