Do you find yourself wondering “how many security controls are too many controls?” or “do I have enough security controls in place?” If so, you may be on to something and you’re not alone!
Organizations need to find the right balance when it comes to implementing controls, specifically with information and cybersecurity.
So far, our blogs have covered the following DFARS compliance and NIST 800-171 compliance topics: Training, Risk Assessment and Administration. Last, but certainly not least, we need to discuss our “catch-all”, Controls.
Controls, technically, could encompass all of the areas we have already addressed with our previous TRAC topics. But, the definition of controls go back to classic risk theory.
Anytime there is risk that potentially needs to be reduced, controls are put in place in order to do so. When we are talking about information and cybersecurity, there are obvious technology controls that can (and should be) put in place.
That said, technology controls, as well as all other controls, should only be putt in place as needed. More importantly, they should be implemented to the extent that they do not drastically impede organizational operations.
When talking about different controls, there are generally two ways to approach it (spoiler alert: both are technically risk based).
First, is purely risk based. This involves assessing the needs of the organization, the infrastructure, information, and services that need to be protected. Organizations need to identify what attacks can be rendered to compromise the things that should be protected.
While effective, this approach tends to be very time intensive and can become expensive.
The second approach is compliance with a prescribed set of controls. Compliance programs and their controls save time and money. The trade-off to compliance, is that customization becomes limited, because anything outside of the prescription is not covered.
The most easily understood compromise, is to start with a compliance program and use traditional risk methodologies to address what is left over. While this does get back into a “time-sink”, an excellent balance can be struck when the organization adds the customization to the compliance controls and has a properly modified standard that they can comply with.
The final approach to all of this is to flip the entire situation on its head.
What do I mean by that? Consider this; If the function, the information that is to be protected, and a reasonable assurance of attacks against the system are known, then the organization can engineer a solution specifically to the requirements of the standard they choose to follow.
As always, the organization needs to find the right balance of security as to not impede operations.
If your organization is looking to find that right balance, while creating or improving its information and cybersecurity program, Beryllium InfoSec Collaborative can help.