Insights from a Day at the Beach: Control Effectiveness & Shared Responsibilities

When you love what you do, you start seeing it in almost everything around you. Whether you’re taking a walk or just spending a day at the beach, observations become clearer, and patterns begin to emerge. I share these thoughts because one of the biggest challenges in cybersecurity is communication – effectively explaining concepts to stakeholders who may not have a technical background but must still understand them.

1.?????? Control Effectiveness

Security control effectiveness measures how well existing security controls and defence mechanisms within an organization can prevent, detect, or respond to a cyberattack, relative to their intended purpose and design.

An often-overlooked aspect of control effectiveness is its dependency on the environment and context around it. Even perfectly implemented controls can be ineffective if environmental factors are not considered. For instance, consider the image below of a gazebo. It has been assembled correctly, but the position of the sun (an external factor in relation to the control) causes the shade to fall a meter away from it, rather than directly underneath it as intended. This illustrates a perfectly implemented control failing to achieve its purpose: providing shade for those underneath it.

In cybersecurity, an analogous example could be an organization enforcing a strong password policy requiring complex passwords (e.g., 12+ characters with uppercase, lowercase, numbers, and symbols). The policy may be technically correct and implemented properly. However, the environment required and technically allows password sharing that bypass its intent. As a result, the control becomes ineffective.

Understanding the context, such as the need for a shared account due to high employee turnover in a department, could lead to designing the control differently. For instance, you might implement restricted access, additional monitoring, or screen recording to address the specific needs of the environment.

2.?????? Shared Responsibilities

Recently on a day outing to the beach, the following realisation occurred to me. I have two toddlers, and no matter who offers to watch them, I cannot outsource the responsibility for ensuing their safety. Even if I contract a professional childcare service, the ultimate responsibility for their safety remains mine. If anything happens, I bear the loss and consequences most severely.

In cybersecurity and data protection, the shared responsibility model is often referenced. This model outlines who is responsible for what. The simplest way to understand your responsibility is to ask: Who suffers the loss and consequences most severely? Who is impacted the most?

If data is entrusted to your organization, regardless of contracts or clauses with your third parties, the responsibility to protect the data remains yours. Tasks can be outsourced, but the ultimate responsibility and accountability to protect the data cannot.

For another similar example, see this article: https://www.dhirubhai.net/pulse/intersection-user-centric-security-culture-grant-hughes-wixhf/?trackingId=YX4u9m%2FuQ%2Fuk%2FOWCAj6RKQ%3D%3D