This multipart series documents a “Jargon-free security model” I have developed based on my years of experience in Information Security. Part I introduced the model, and in part II, we examined the first and most essential element of the model, Visibility. In this article, we’ll look at the next aspect of the model, “Control.”
The Control element captures your department’s ability to effectively prevent, respond to, or recover from security incidents. As your Visibility into the environment improves, you should be able to detect more incidents. Implementing Control is the next logical step.
“Control” includes a vast array of security technologies, from firewalls to encryption technologies, anti-malware, application whitelisting, and many others. Within your security group, with the experts on your team, it is useful to distinguish between the Control capability categories and align with a model like the NIST Cyber Security Framework or the Cyber Kill Chain. However, when communicating with folks outside of InfoSec, these distinctions are unintuitive and uninteresting.
All of the following examples fall under the “Control” element:
Asset Management: Can we prevent unauthorized devices from connecting to our network? Can we stop the installation of unauthorized or unlicensed software packages in our environment? Can we prevent changes to security-critical configuration variables on our devices?
Vulnerability management and remediation: Are we timely in patching vulnerabilities? Can we apply emergency patches quickly if we need to?
Network protection: Can we respond quickly to attacks by placing additional network restrictions in place? Have we implemented automation where appropriate so that no human interaction is necessary for obvious problems (e.g., DDOS attacks)
Entitlement management: Are privileges managed in a timely fashion? Do we have regular recertification of access in place for critical entitlements?
Event Monitoring and Reporting: When a security event or series of events occur, is there a response plan in place? Does the response plan work?
Generally, every “Visibility” metric should have a corresponding “Control” capability. It should be evident that if you can see a problem, you must fix it. Maintaining the link between Visibility and Control ensures that you are investing in things that matter. If you are watching for something, without a plan for what to do if you see it, or you have a response capability for a problem that you’ll never be able to see, you need to go back to the drawing board.
It’s easy to get carried away with the Control capabilities. If you do not align your investments with risk, you will lose credibility over time. Remember that a manual or procedural control is still an effective control in many cases, and you should document that it is in place. Save your ammunition for the fights that matter. For small organizations, leverage shared services rather than products to manage costs and expand your team’s reach. Whenever you are preparing an investment proposal, take a close look at the problem you are trying to solve and ask yourself honestly whether you can express the situation in the form of a dollar figure. If you can’t, none of your executive peers and leaders will be able to either.
For “control,” the success metrics should focus on the timeliness and effectiveness of the response. Again, it’s important to be pragmatic and stick to what is feasible, given your team’s size. Not every issue requires a two-hour SLA, and there are plenty of problems that can wait until Monday.
Together, the “Visibility” and “Control” elements of the Jargon-free security model cover 95% of what every other security model includes. Future articles in the series will discuss why 60% of what you need to do to succeed as a CISO or DIS has little to do with traditional InfoSec concerns. It will also highlight why getting rid of security jargon in your communication frees you to focus on other issues and how focusing on these other issues will help you become a trusted business partner.