Be a Control Freak

Recently, I went on a skiing trip to Park City, UT. As a longtime skier, I was excited about skiing in one of my favorite resorts and the conditions were incredible with almost 400” of snowfall between January and March. The week couldn’t have been any better, the temperatures were warm and during the weekdays the slopes were sparse with people.

Being an avid skier, I am aware that ski resorts have rules of engagement, which are called controls. If a skier does not follow the rules of the resort, they can lose their lift ticket and be removed from the park. The primary ski controls are as follows:

• Always stay in control. You must be able to stop or avoid people or objects.
• People ahead or downhill of you have the right-of-way. You must avoid them.
• Stop only where you are visible from above and do not restrict traffic.
• Look uphill and avoid others before starting downhill or entering a trail.
• You must prevent runaway equipment.
• Read and obey all signs, warnings, and hazard markings.
• Keep off closed trails and out of closed areas.
• You must know how and be able to load, ride and unload lifts safely. If you need assistance, ask the lift attendant.
• Do not use lifts or terrain when impaired by alcohol or drugs.
• If you are involved in a collision or incident, share your contact information with each other and a ski area employee.

At this stage of the article, you’re probably wondering what skiing has to do with security and I’m almost to the point that I’m trying to make.

During the trip, I kept thinking that there was an article in the making and tried multiple subjects to find the right topic to focus on. After going up several chair lifts, at the top of every mountain was a large diamond shaped sign in bright yellow. The sign read ‘Be A Control Freak’. I realized that a subliminal message had been right in front of me and thankfully was noticed. Security is like skiing, it’s all about control.

Since security is a mystery to so many individuals, and all levels of organizations are reading my articles, I’d like to provide a breakdown and education to those that are not security professionals. Let’s take the mystery out of security and start discussing the importance of having a robust program that includes people-process-technology.

Many of us have had someone (who doesn’t understand the importance of security) tell us that controls are just another way to slow down the process of X (feel free to fill in the topic of choice here). Like skiing, security controls are a guardrail to further educate our employee base and used to provide a deep defense for our company. Controls are not another way to slow down a process – rather, they enhance processes by having practices that produce expected outcomes. An example of a practice is role-based security where individuals receive the same privileges based on their position and requirement to see a portion of a data set to accomplish their work responsibilities. Without adequate role-based security practices, imagine a company where customer support reps have access to bank accounts or salespeople that have access to the product’s source code. Since employees are the #1 security concern, controls should be seen as a way to improve a process. Technology is then used to monitor the controls and the effectiveness for people to follow the processes.

Security controls are meant to provide a foundation and set up the rules of engagement for a company. Securing every aspect of the company from the front door to the source code doesn’t have to be monumental or arduous. In companies with a mature program, security is used as a sales enabler, thereby providing brand recognition through the reinforcement of trust. Customers expect their data to be protected and controls are one mechanism in establishing trust.

Security starts with the management of risk. Most CISOs use the NIST Risk Management Framework (800-35). This framework is easy to comprehend and implement.

To breakdown the NIST Risk Management Framework, when threats and risks are identified, companies that have implemented a set of standard repeatable and consistent practices (controls) work to protect the delivery of services and products. These controls are then monitored to detect future incidents and enable a response to the threat with a decisive action plan. The final step is that once the recovery occurs, the controls are reassessed and further hardened to avoid potential disruptions. Risk is managed at various levels of the organization – from the Board and Executive Committee (company related risk) to the Management (organization related risk).

Think of the NIST framework as a foundation, and while the framework does venture into several control areas, it is not comprehensive enough to be considered the only aspect of a security program. It is equivalent to the large, diamond shaped yellow sign at the top of the mountain reminding us to stay in control.

For the actual controls within a security program, each one is implemented at a maturity level that warrants continuous improvement to strengthen the environment. In my program, I always solve for the hardest equation – ISO 27001, as the other frameworks fall within and beneath, meaning the ISO framework covers the controls that an auditor is looking for in a SOC2 or PCI audit (and others). This does not mean that a company must certify in ISO 27001, it only means that they’ve implemented stringent controls to secure their environment.

The ISO 27001 framework has 18 primary controls and a wide variety of sub-controls. The organization’s program needs to have a continuous improvement vehicle or a plan to show how improvements will be made to mature processes. To measure continuous improvement, audits are performed either internally, externally, or both. External audits have an outcome of either a certification or report by an accredited auditor.

Each of the controls is another article and over time, we’ll cover more information in subsequent posts. Controls are one part of an overall security strategy and to begin your own program, start by assessing the controls that are a part of your current environment and determine where the gaps lie. This one exercise provides a view into how mature the existing program is.

As always, your feedback on these articles is encouraged.

? 2023. All Rights Reserved

Sue Bergamo is an executive advisor to C-Suite executives and is a CISO and CIO. She can be reached at [email protected].The content within this article are the sole opinions of the author.