By minimizing risks that could affect your business, you are putting your organization in the best place to increase productivity and protect against threats. As discussed in our Blog post Is there a difference between cybersecurity and information security, the most common approach to managing risks – and what we spend most of our time on – is mitigating them using controls. There are many ways of categorizing information security controls. One basic taxonomy groups security controls into administrative, physical, and technical. The NIST 800-53 R5 control catalog used by the U.S. government for protecting its information systems breaks controls down into 20 different categories ranging from Access Control to Media Protection through Supply Chain Risk Management. The NIST cybersecurity framework (CSF) uses five pillars of controls: Identify, Prevent, Detect, Respond, and Recover. I would change this up slightly to look at the five groups of governance, preventative, detective, reactive, and validation controls.
Governance controls, or more broadly Governance, Risk, and Compliance (GRC) controls, are the overarching controls that drive the rest of your security program. This includes governance such as policies, procedures and standards, covering your entire information security program across the organization; this includes a change management function. The risk portion is the risk management we discussed in our article on What is Information Security; this includes asset lifecycle management, threat intelligence, and supply chain risk management. Compliance is a function that often lives here and has a dotted line to the general counsel’s office, and it is responsible for ensuring that the information security program has all the right controls in place to comply with whatever legal, regulatory, industry standards, or certifications the organization holds or needs to abide by. GRC also often includes functions such as training and awareness, and business continuity planning.
Preventative controls are the things that people most often think about when they think about information security. These are the network controls such as firewalls, remote access management, encryption in transit, resilience, network intrusion prevention, and data loss prevention. Another large category here are the system and endpoint controls, such as backups, secure baselines, integrity mechanisms, encryption at rest, media protection, and endpoint protection. It also includes overarching controls such as Identity and Access Management (IdAM), physical and environmental controls, Secure Software Development Lifecycle (SSDLC), and vulnerability management.
Detective controls are how we know that are security policy has been violated. This relies on many of the preventative controls, as well as the asset management performed by the risk management function. Our detective controls largely rely on are auditing – or logging – functionality from audit collection, to audit baselining, audit monitoring, and finally audit investigation. When a security policy violation has been found, our reactive controls kick in. The two principal categories here are incident management – including instant communications – and forensics – including malware analysis.
We like to call out the validation controls into their own category, in part because this is often best performed by an independent third party. The thing people most often think of in this area is penetration testing, which may include both infrastructure and software. Closely related to this is social engineering testing, which is focused on seeing if staff will inadvertently violate information security policy and reveal information or grant access to systems when they shouldn’t. This also includes exercise management for testing things such as your incident response plan, and business continuity plan.
The role of a CISO:
Overseeing all of this is the Chief Information Security Officer (CISO), who serves as the interface between the information security program and the executives and board of an organization. The primary purpose of the CISO is to translate the tech speak of all these information security controls into the business speak of the rest of the organization.
In most organizations the CISO reports to the CIO, chief counsel, or CFO. Given the increasing importance of information security risks, larger organizations are starting to have the CISO report directly to the COO or CEO. Industry is starting to accept that best practice is actually to have the CISO report directly to the board, in the same way that many CFO’s do, to ensure that the board is properly apprised of major risks to the organization.
CISOs also serve a people management function for the information security staff. Some organizations matrix in staff into information security which can cause a conflict of interest when the CISO is urging for caution and someone’s administrative manager is pushing to just get something done. In smaller organizations CISOs will tend to take a more hands-on approach, directly taking on many of the functions in governance risk and compliance, and often parts of the numerous other controls as well, including audit monitoring, controls validation, and incident management.
While large organizations require a full time CISO, most small to mid-sized organizations do not need, and oftentimes can’t find a full time CISO, and are better served by a fractional or virtual CISO (vCISO). Scalesology has experienced CISOs that can provide the right sized service your organization needs to manage your information security program. Contact us today, and let’s ensure your organization can scale without the worry of threats to your business.