How to Select Effective Security Controls

Risk–benefit analysis, defence in depth, information security objectives and proportionality

Looking to mitigate your information security risks but not sure how to choose effective controls while staying on budget?

Risk–benefit analysis is key, as is defence in depth.

You also want to set information security objectives that are aligned to your business objectives, and be proportionate in your control selections.

Our head of GRC (governance, risk and compliance) consultancy, Damian Garcia, explains further.

In this interview

Risk–benefit analysis

How do you choose appropriate security controls?

You need to be clear on two things:

  1. What’s the benefit of implementing that control?
  2. What’s the associated risk?

Then hopefully, the benefit outweighs the risk.

That seems straightforward. So, how can things go wrong?

People are prone to thinking: “We’ve implemented a control, so we’re fine – we’re protected.”

Except that’s not necessarily the case. Particularly with documentation.

You’re not protected just because you’ve created a policy – that’s the security equivalent of thinking that simply having a kettlebell in your house will get you into shape.

For your policies to be effective, they must be:

  • Implemented;
  • Realistic; and
  • Easy for people to follow.

Yes, you’ve created that policy for the sake of security. But a good policy must also enable productivity, or people will circumvent it. They’ll take shortcuts, wanting to get from A to B as quickly as possible. That’s just human nature.

Defence in depth

What about enforcement of that policy?

Right. Just because you have a piece of paper that says ‘staff must do X’ or ‘staff may not do Y’ doesn’t mean your employees are indeed doing or not doing those things.

I constantly see organisations declare: “We have a policy.” But that’s only one control. In reality, you need defence in depth.

So, yes, have a policy that tells people what they should be doing [or not doing]. But if we take a password policy as an example, which will say stuff like:

  • Passwords must contain at least 12 characters;
  • Passwords must use a mix of upper- and lower-case letters, numbers and special characters;
  • MFA [multifactor authentication] must be enabled where available; and
  • Passwords mustn’t be written down anywhere.

Don’t solely rely on people. Even if they don’t take shortcuts, they’re still prone to human error. This comes back to the insider threat.

Where possible, use technical controls to enforce your policies. Even ‘not writing down passwords’ can be supported with a technical control: permitting users to use a secure password manager.

Again, layer your defences. Don’t rely on just one control. And try to select controls that come at it from different directions, like the way the latest version of ISO 27001 has broken down the Annex A controls into four areas: organisational, people, physical and technological.

Suppose an organisation selected its controls from a source like Annex A of ISO 27001. How would they go about it?

When I conduct a risk assessment with a client, we establish:

  • What information assets are they protecting?
  • What threats do they face?
  • What vulnerabilities do they have?
  • What are the impact and likelihood of those vulnerabilities being exploited by those threats? What are the risks?
  • What controls should they select from Annex A to address those risks?

For example, if we’re talking about compromised user credentials, what do you need?

  • Organisational: an information security policy, an acceptable use policy and a password policy.
  • People: staff awareness training and a good security culture.
  • Physical: check policies are enforced – have office managers check that there are no sticky notes with passwords stuck to monitors, etc.
  • Technological: technically enforce your password complexity requirements.

You get lots of different elements working together, which all play their part in addressing that risk.

[We discuss control selection in more detail later.]

Leadership support and information security objectives

How can you justify the cost of this multilayered approach to senior management?

A big part of any ISO 27001 ISMS [information security management system] is establishing the information security objectives. These must be aligned to the overall business objectives.

Now, what does senior management care about?

  • Increased profits
  • Greater market share
  • Improved productivity

That type of thing. So, to get leadership to properly buy into the ISMS, link the information security objectives to those types of goals.

How can that be achieved?

IT in general has always been seen as a cost to the organisation – that is, until something breaks. Until the lack of IT investment ends up costingthe business money through damages and lost opportunity.

So, for information security, explain to the leadership team that revenue, profits, etc. will be impacted if the information security controls don’t work and a risk materialises.

Also, prioritise the catastrophic risks – the ones that, if they materialise, could put the organisation out of business.

Is part of the solution to include information security risks – particularly the catastrophic ones – on the corporate risk register?

That would help improve visibility, yes. Significant risks to the business – including information security risks – should be discussed in board meetings so that all stakeholders are aware of them.

And yes, catastrophic risks especially need to be on the risk register. You want to ensure the senior leadership team has full visibility of risks above the organisation’s capacity to absorb their impact, so it can make appropriate decisions about how to address those risks.

Again, you want to link information security objectives to the overall business objectives.

Do you have tips for setting good information security objectives?

Start by asking yourself why you’re implementing the ISMS. Almost always, it’s because customers want third-party assurance that you have good security in place. The ISMS may also be driven by legal or contractual requirements.

But the devil lies in the detail: what is ‘good’ information security?

It comes down to understanding what information assets you’re trying to protect, and managing the risks to those assets. ‘Good’ security looks different for each organisation. And a lot of it can be guided by the objectives of the ISMS: how can we determine whether the ISMS is doing its job well?

Those objectives should be measurable. Make it easy to see whether you’re achieving them.

The controls you select should feed back into this:

  • Will they help you achieve your information security goals?
  • Are your controls effective? Are they doing the job you need them to do?

Finding this interview useful? To get notified of future
Q&As and other free resources like this, subscribe to
our free weekly newsletter: the Security Spotlight.

Control selection

How can organisations select controls that feed back into the information security objectives? Could you give us an example?

I was speaking to the CISO of a client the other week, who wanted me to suggest “best-in-breed” solutions for their environment.

I explained that’s not how things work. You need to query whether the solution is relevant to your business:

  • Does that solution suit your environment?
  • Will the solution help you achieve your objectives?

Even if some solution is ‘best in breed’ for most organisations, does it address the type of information your company deals with? Is it relevant for your organisation’s context? Will it address the information security risks you face?

Again, understand your risks so that you understand what ‘good’ security looks like for you.

That seems to tie into the wider issue of some organisations not making frameworks such as ISO 27001 relevant enough to their business.

Right. Annex A of ISO 27001 contains 93 controls. Not all of them may be relevant to your business, and so long as you can justify it, you can exclude controls.

An obvious example is the physical security controls. Not every organisation has an office or a physical site, so may well find those controls not applicable. The key is to ask yourself for the controls you do select:

Why are we selecting them?

To mitigate a cyber security risk? To meet a legal or contractual requirement? To make your operations more efficient?

Can you share a real-world example?

In a call with an IT manager of another client, he spoke about wanting to bring a third-party application back in-house. So, I immediately asked: “Why? What’s the benefit? How will that improve what you have today?”

While you need to be careful about outsourcing – particularly in terms of understanding that the risk is still your problem – it also brings benefits, like:

  • A guaranteed level of service; and
  • Access to expertise or technologies not available in-house.

How will that change if you bring the activity back in-house?

Do you have any more examples?

I had a client wanting to introduce AI to their environment. Again, my first question was: “Why?”

Because deploying AI really means that you’re running someone else’s code on your systems:

  • How can you be certain that code is secure?
  • What risks might it introduce to your organisation?
  • What business benefits are you getting in return? Will it:
  • How big are those benefits?

Whatever you want to do, think about why you want to do it. What are the benefits, and if something goes wrong, how badly will it affect us? Because make no mistake: stuff does go wrong. Slip-ups happen – just look at CrowdStrike!

It always comes back to the cost–benefit analysis and proportionality.

Proportionality

What does ‘proportionality’ mean here?

You don’t spend £100,000 on implementing a control that addresses a risk that, if it materialised, would only cost you £50,000. You need proportionality.

If you look at something like DORA [Digital Operational Resilience Act], proportionality is a key principle. The controls must be proportionate to the size of the organisation and the level of the risk.

That’ll predominantly be on a quantitative basis – the financial impact – but can also take other impact types into account, like reputational and operational.

Wouldn’t it always come down to financial impact? As reputational and operational damage would still be tied to a financial cost?

In a way, yes, but you should still look at reputational damage separate to any direct financial impact.

You get case studies like Vastaamo, a Finnish psychotherapy provider, which was forced into bankruptcy due to a ransomware attack caused by basic security issues like weak passwords and a lack of encryption.

When the information involves sensitive medical records, that’s just inexcusable – your reputation will be down the drain.

The same will apply to other healthcare, finance, and other industries that deal with lots of highly sensitive data. If you make no effort to keep it safe, you’re risking your entire business.

Accelerate your risk assessments

CyberComply makes conducting information security and ISO 27001 risk assessments simple:

  • Automate, review and repeat risk assessments, reducing the time spent on them by up to 80%.
  • Take advantage of CyberComply’s built-in library of threats, vulnerabilities and controls to treat risks.
  • Schedule tasks and reminders to review risks and stay on top of your implementation project.

Don’t take our word for it

Here’s what our customers say:

Stefano G:

CyberComply is very easy to use and easy to assign risks to risk owners and set up regular reviews – Great piece of software.

Yemi L:

I love everything about CyberComply. There is nothing that is not useful.

Steve Atkinson:

We required a simple solution to document our assets and complex data flow processes for compliance and risk analysis. CyberComply tools allow us to do this quickly and efficiently; the user interface is easy to understand and intuitive to use, which is key here.

About Damian Garcia

Damian has worked in the IT sector in the UK and internationally, including for IBM and Microsoft. In his more than 30 years in the industry, he’s helped both private- and public-sector organisations reduce the risks to their on-site and Cloud-based IT environments.

He has an MSc in cyber security risk management and maintains various professional certifications.

As our head of GRC consultancy, Damian remains deeply committed to safeguarding organisations’ information and IT infrastructures, providing clients with pragmatic advice and support around information security and risk management.

We’ve previously interviewed Damian about how to start managing risks and how to mitigate them, the insider threat, and common cyber security and ISO 27001 myths.

We hope you enjoyed this edition of our ‘Expert Insight’ series. We’ll be back soon, chatting to another expert within GRC International Group.

If you’d like to get our latest interviews and resources straight to your inbox, subscribe to our free Security Spotlight newsletter.

Alternatively, explore our full index of interviews here.

Leave a comment

Your email address will not be published. Required fields are marked *