The critical role of security controls for effective cybersecurity management
In cybersecurity, threat actors are relentless. They are numerous, global, credible, and incredibly creative. They also have the advantage in that their role is to attack an existing system – to find and exploit its weaknesses. As skilled as some of these actors are, it is still easier to break an existing object than it is to do what we do – build a new one and anticipate, discover, and remove every possible weakness along the way.
As such, we need a comprehensive and evolving set of tools and skills, and one of these is our collection of security controls. Controls is a far better term than standards, which implies a static endpoint. Controls, by contrast, focus more on the need to continually keep pace with threats which, collectively are an ongoing event.
According to the experts, security controls cover the whole chronology of an attack:
- Preventing an attack
- Detecting/intercepting the attack
- Correcting during an attack
- Deterring attackers from continuing the attack
- Recovery/business continuity post-attack
- Recompensing – using alternate resources to rebuild
Some of these controls are deployed automatically, and some are deployed manually. Woven throughout are specific activities such as vulnerability management, malware investigation, threat assessment and forensics.
Together, they form a critical series of barriers and devices, focused on keeping an organization safe and ensuring a quick return to normalcy and continuity.
While critical, tools are only part of the cybersecurity management solution
The other thing about the word controls is that they are the tools of the job, just as a steering wheel and brake pedal are part of the controls needed for secure driving. But drivers also need to have been trained in driving, they must be licensed, and must also have a plan for each driving destination, including timing and driving style. Outside of the car, there are laws, procedures, and accepted protocols among drivers, pedestrians, and everyone else.
In cybersecurity, too, controls are only part of the solution. Since resources are often limited, every organization must decide what type of risk management approach it wants to apply, including prioritizing the level of protection for each asset, the amount of investment it is willing to spend on proactive versus reactive security measures, which tools and people to deploy, and how these assets will fit both with future activities and the existing legacy infrastructure.
Internal management of security controls is not enough. Compliance is also an issue. There are numerous control standards to consider, such as NIST and ISO 27001, and there are regional and industry specific controls to comply with, some imposed by the industry and others through government regulation. For example, the Payment Card Industry Data Security Standard (PCI DSS) has more than 50 security controls; the U.S. Health Insurance Portability and Accountability Act (HIPAA) has more than 100, and the U.S. Federal Information Security Management Act (FISMA) has more than 1,000.
This interaction between the motivations of an organization, the regulations of the industry, and the quickly changing environment in which business technology and cybersecurity operate requires a range of skills beyond the mechanical, and much of this falls under the mantle of Governance, Risk and Compliance (GRC).
It is vital that cybersecurity specialists not only understand the scope of the dangers that exist inside and outside their organization, but they must also be able to process this information in the context of the organization itself. A company may be averse to too much change, especially considering the turbulence brought about by the COVID-19 pandemic. There may be a significant dearth of communication between IT, cybersecurity, and the C-suite, resulting in profound lapses in overall security. This is being observed daily in the incidences of hacking brought on by spearfishing, inadequate password hygiene, underdeveloped work-from-home policies, and newer techniques like social engineering.
Security controls must be organized and described in a way that non-IT people – employees and executives alike – understand and embrace, even if they do not fully grasp all the technical terms. A great deal of cybercrime leverages human factors such as ignorance, reluctance, and trust to penetrate the defences. Even when the controls are in place, if they are ignored, forgotten, or simply switched off – as often is the case – the responsibility and blame will inevitably fall to the cybersecurity specialist.
The role of a CGRC certified cybersecurity professional in securing the organization
Specialized experts like the Certified in Governance, Risk and Compliance (CGRC) play a key role in this space, since they help bridge the gap between the full-time cybersecurity specialists who work hands-on with designing and deploying the security controls, and the executives and employees who determine an organization’s future through their decisions and actions. The holder of a CGRC designation demonstrates the advanced technical skills and knowledge needed to understand key operational issues such as GRC without which, a company cannot move forward. A CGRC can also authorize and maintain information systems, using risk management best practices, policies, and procedures.
The CGRC will be there to generate buy-in from management when building an information security management system (ISMS) security plan, for example, factoring in authorities, regulators, management, suppliers, contractors, and customers while determining its mission and objectives, stakeholders, and regional, legal or industry requirements that must be included.
How the CGRC certification can help you to succeed
The CGRC Certification represents and supports a specific skillset that is central to any organization’s future-of-work strategy, since a central tenet of post-pandemic digital transformation is the blending of so-called soft skills such as communication and strategizing with the traditionally siloed hard skills such as software engineering. It is part of the changing workplace landscape that pre-dates the pandemic, but which was nonetheless accelerated by it.