What Is the Relation Between Cybersecurity Capability, Control, and Function?

We as security professionals regularly use the terms, Cybersecurity Capability, Cybersecurity Controls and Cybersecurity Function (no it is not the same as people, process and technology). And what you will also interestingly find is that these three terms have different meanings in different organizations, and many a times its incorrectly interpreted. Here is an example, We often hear about maturity assessment of security posture, what we actually do is that we assess Security Controls and determine how mature those controls are. Is there anything wrong with that approach? No, absolutely not, but that only gives us half the picture and a tactical view, it does not provide us with the holistic picture at a capability level and a strategic view. This gap in the layered applicability of these terms leads to various issues, ranging from building the right set of reference architecture, allocation and usage of resources (technology/finances/personnel) or assessing the maturity at all levels (not just tactical maturity).

You may have already come across varying theories and justifications with regards to the similarities or differences or how they are even related to each other. Cybersecurity capability. Cybersecurity control and Cybersecurity Functions are undoubtedly related concepts, but they have different hierarchies, meanings, and applications.?

Let’s take a closer look by understanding one by one how they are different, and then how they are related !

Here is an attempt to define these terms

• Cybersecurity Capability is as an organization's overall capability to protect its information and technology assets from continuously evolving cyber threats and emerging risks. A capability may include the organization's ability to collectively utilize its people, processes, technology, and policies that are dedicated to the prevention, detection, and response of cyber-attacks. Cybersecurity capability is a higher layer that may include multiple security strategies, related controls, people skills and competencies, and more importantly, the organization's overall ability to maintain a secure, resilient, mature, and continuously risk optimizing posture against cyber threats to enable organizational business changes.
• Cybersecurity Control is a very specific measure and/or countermeasure that can alter the effects of a cyber-attack. These security controls can be technical, organizational, administrative, or physical designed to defend, withstand and successfully recover from the effects of cyber threats. These may include zero trust mechanisms on the cloud, in a network or provisioning applications to allow authorised users, and security systems.?
• Cybersecurity Function can be defined as an organizational unit(s) that is accountable for implementing and maintaining security controls, policies, and procedures responsible for creating the organization’s incident response plans. While many organizations have dedicated team that focuses solely on managing security risks, maintaining continuous compliance by aligning with industry regulations and standards, and effectively responding to security incidents, many others distribute accountabilities to multiple teams and departments.

Therefore, while we can say that cybersecurity capability, cybersecurity controls, and cybersecurity functions are individually distinct concepts, but they are also strongly interconnected and have interdependencies in determining an organization's ability to build cyber defence against cyber threats and to maintain an overall cybersecurity posture.

It may be important to point out that the cybersecurity capability comprises of security controls that are integrated through the cybersecurity function(s) to provide an organization with the ability to protect its information from cyber threats.

Diana Kelley , CISO at ProtectAI explains, "An organization's ability to protect, defend, and respond to attacks requires a strategic architecture and operating model that incorporates security controls and resource planning. Planning and architecture provide context for controls and functions to ensure optimal, best-fit security operations."

Let’s sum it up with two example cybersecurity capabilities:

• Incident Response Management: Incident response management is a key cybersecurity capability to help organizations better prepare for cyber incidents and respond to them. A well-matured incident response capability generally consists of a range of security controls that will enable an organization to quickly detect and respond to security incidents. These security controls can include, Monitoring and alerting systems, to detect and alert any suspicious activity on their networks or systems. Most of these systems can automatically generate alerts as soon as they detect unusual activities or other signs of a potential cyber-attack. Commonly, there will also be an incident response plan to outline the steps the organization should take in response to a security incident.
• Access Control Management: Access control management is another critical cybersecurity capability that helps organizations in preventing unauthorized access to their networks and systems. Access control management generally will have a range of security controls that are strategically designed to limit access to sensitive applications, data, and systems. Security controls under this capability can include authentication systems to verify the identity of users who will access their networks or systems (e.g., usernames and passwords, biometric authentication, or even smart cards). Another crucial system as part of this capability is Authorization systems, which are used to control what resources the users can access on a network, application, or system.
• Finally, The Security function is responsible for implementing and maintaining the security controls that are necessary for an effective and matured Incident Response and for Access Control Management capability. This will generally involve (but not be limited to) managing the incident response team and user accounts, developing incident response plans and access control policies, and ensuring that the necessary security controls are in place to detect and respond to security incidents. The security function plays a crucial role in preventing the organization from security attacks and ensuring that the organization is prepared to respond to security incidents and protect against cybersecurity risks.?

Agnidipta Sarkar , Evangelist Emeritus, & Current Group CISO at Biocon mentions, "In a world where change is the only constant, keeping up with cyber security capability of a constantly changing digital landscape demands clarity of thought, a clear understanding of security controls and the components of a security function."

In summary, cybersecurity capability, security controls, and security functions are interconnected and work together to protect the organization's information and technology assets from cyber threats, but they differ in their specific focus areas and responsibilities. Cybersecurity capability refers to an organization's overall readiness to deal with security threats, security controls are the specific measures used to reduce the risk of a cyber-attack, and the security function is responsible for implementing and maintaining those security controls. And in case you want to arrange them in hierarchical order then, cybersecurity capability comes first in that order, followed by security controls and then the security functions.