Security Controls: Find the Right Balance

Anytime there is risk that potentially needs to be reduced, controls are put in place in order to do so.

Do you find yourself wondering “how many security controls are too many controls?” or “do I have enough security controls in place?” If so, you may be on to something and you’re not alone!

Organizations need to find the right balance when it comes to implementing controls, specifically with information and cybersecurity.

So far, our TRAC blogs have covered the following topics: Training, Risk Assessment and Administration. Last, but certainly not least, we need to discuss our “catch-all”, Controls.

Controls, technically, could encompass all of the areas we have already addressed with our previous TRAC topics. But, the definition of controls go back to classic risk theory.

Risk 101

Anytime there is risk that potentially needs to be reduced, controls are put in place in order to do so. When we are talking about information and cybersecurity, there are obvious technology controls that can (and should be) put in place.

That said, technology controls, as well as all other controls, should only be put in place as needed. More importantly, they should be implemented to the extent that they do not drastically impede organizational operations.

Compliance vs Risk Management

When talking about different controls, there are generally two ways to approach it (spoiler alert: both are technically risk based).

First, is purely risk based. This involves assessing the needs of the organization, the infrastructure, information, and services that need to be protected. Organizations need to identify what attacks can be rendered to compromise the things that should be protected.

While effective, this approach tends to be very time intensive and can become expensive.

The second approach is compliance with a prescribed set of controls. Compliance programs and their controls save time and money. The trade-off to compliance, is that customization becomes limited, because anything outside of the prescription is not covered.

The Happy Medium

The most easily understood compromise, is to start with a compliance program and use traditional risk methodologies to address what is left over. While this does get back into a “time-sink”, an excellent balance can be struck when the organization adds the customization to the compliance controls and has a properly modified standard that they can comply with.

The final approach to all of this is to flip the entire situation on its head.

What do I mean by that? Consider this; If the function, the information that is to be protected, and a reasonable assurance of attacks against the system are known, then the organization can engineer a solution specifically to the requirements of the standard they choose to follow.

As always, the organization needs to find the right balance of security as to not impede operations.

If your organization is looking to find that right balance, while creating or improving it’s information and cybersecurity program, Beryllium InfoSec Collaborative can help. To start that conversation, contact us at info@berylliuminfosec.com.

For more information on Beryllium, visit www.berylliuminfosec.com.

Derek White
Director of Business Development & Partner
Derek’s commitment to positive and compliant outcomes for customers, specifically through subject matter expertise and collaboration with internal and external resources.

Speak With a NIST Security Expert at Beryllium InfoSec Today

To reach us please fill out the form below.
Thank you, we have received your free security consultation request. A security expert will reach out to you soon.
Oops! Something went wrong while submitting the form.