Security controls represent the foundational functions designed to enhance cybersecurity. For instance, a control may involve restricting the free communication between external systems on the Internet and internal systems within your organization (commonly known as boundary protection). Within the cybersecurity field, it is widely acknowledged that a firewall is a primary tool for implementing such controls.
Over the years, groups of knowledgeable professionals have collaborated to define extensive lists of security controls, covering a diverse range of aspects. These controls have been organized into control frameworks, as different industries possess unique characteristics and security needs. Notable control frameworks include:
National Institute of Standards & Technology (NIST) - Employed by the U.S. government.
HITRUST - Utilized in the healthcare sector.
NERC-CIP - Adopted by the energy industry.
Within these control frameworks, controls are typically categorized and codified. For instance, the earlier example of boundary protection is identified as control SC-7 (Boundary Protection) in the NIST 800-53 control framework, where "SC" denotes "Systems and Communications Protection," a sub-control family within the NIST 800-53 controls.
When evaluating the entirety of the security stack, it results in an extensive list of controls, that experts have collectively deemed necessary to fully safeguard organizations. These security control frameworks consist of a growing number of controls, ranging from hundreds to thousands of individual controls.
For organizations, they have to determine which controls they should implement, as each control incurs costs in terms of time and resources. There are several approaches to this decision-making process:
Compliance with Industry Mandates - Some controls are mandated by industry-specific control frameworks (e.g., HITRUST for healthcare or NERC-CIP for energy).
Risk Framework Classification - Systems may be classified into risk categories (e.g., high, medium, or low risk), and the associated risk level dictates a prescribed set of controls.
Customized Risk Analysis - Organizations can perform their own risk assessments and select controls they believe are suitable for managing their unique risk profiles.
The world of cybersecurity frameworks can often be bewildering, even for those deeply entrenched in the field. A few years back, during RSA 2019, Frank Kim presented a valuable analogy that shed light on this complexity. He drew a parallel with the world of chefs and cooking:
Cyber Control Frameworks - These are akin to the list of essential ingredients, providing the foundational elements for cybersecurity. (NIST 800-53 controls, CIS controls)
Cyber Program Frameworks - Imagine this as the recipe, where the control frameworks' ingredients come together to form a cohesive program, outlining how to effectively deploy these controls. (NIST CSF, ISO 27001)
Cyber Risk Frameworks - Think of these as the guidelines for where and how to serve these cybersecurity recipes, ensuring they are applied strategically to manage and mitigate risks. (NIST 800-39, ISO 27005)
Do I buy that CiscoAlto Juniportinet Next Gen Firewall (NGFW)?
Executives are faced with critical questions when it comes to cybersecurity controls, as they directly impact both time and financial resources:
Value in Protection -Which controls offer the highest level of protection value?
Value in Cost -Which controls deliver the most value in terms of cost-effectiveness
Consistency in Assessment -Is there alignment in the answers to the first two questions?
Presently, responses to these inquiries often lack a standardized approach and tend to rely heavily on individual experiences and personal biases. Cybersecurity professionals frequently encounter scenarios where:
Auditors or executives emphasize a control that may seem of limited value from the practitioner's perspective.
There is a sense of relief when auditors or executives do not emphasize (i.e., mandate exclusive focus on) a control perceived as having little value.
Frustration or conflict arises when auditors or executives do not prioritize a control seen as highly valuable.
This last paragraph underscores the essence of this discussion. It reveals the subjective nature of cybersecurity control assessments—whether they are considered of little or high value. Even seasoned cybersecurity engineers can make both accurate and inaccurate estimations regarding control value. These estimations often rely on a person's experiences and biases, making them inherently subjective and variable. Improper control valuations are not solely attributable to a lack of experience.
A few years ago, I came across an insightful book titled "Tribe of Hackers Red Team: Tribal Knowledge from the Best in Offensive Cybersecurity," which I highly recommend. The book featured interviews with top red team hackers, delving into their backgrounds and insights. Two questions posed to each were: "What is the least bang-for-your-buck security control that you see implemented?" and "What's the most important or easiest-to-implement control that can prevent you from compromising a system or network? Interestingly, even among these elite hackers, different opinions emerged. Some security controls that were considered the best value by certain experts were viewed as less effective investments by others. This divergence underscores the inherent variability in control valuation and highlights that a control's worth extends beyond the tool itself, with its value heavily contingent on its implementation.
The FAIR Control Analytics Model (FAIR-CAM) https://www.fairinstitute.org/fair-controls-analytics-model espouses a more rigorous analysis of security controls in their effectiveness in reducing organizational risk. There are three pivotal aspects that impact the effectiveness of each security control:
Assessment of Risk Reduction Value - Security controls should undergo evaluation based on their effectiveness in reducing risks.
Relationships and Dependencies - Security controls often interconnect and rely on each other in a security ecosystem.
Operational Performance vs. Intended Performance - The operational performance of a security control may sometimes fall short of its intended level of effectiveness.
Comments