Use Aggregate Control Effectiveness to Unify Compliance and Security
Does meeting compliance requirements divert resources from improving cyber posture?
Compliance frameworks define what you need to do. Controls are how you meet compliance requirements.
Compliance framework requirements give you wide latitude for deciding on the controls to meet them.
Aggregate Control Effectiveness is the metric for choosing the mix of controls you implement to meet compliance requirements and improve cyber posture.
This is the second article in my Aggregate Control Effectiveness series. Here is a link to the first article entitled Measure and Improve Aggregate Control Effectiveness.
As the number of compliance frameworks continue to grow, I have heard many times that focusing resources on them means diverting resources away from improving cyber posture. It need not be the case.
There is consensus building that a compliance framework ought to be used to drive your cybersecurity program. In our view, the decisions you make selecting controls to meet compliance requirements will determine your overall cyber posture.
Before we discuss this in some detail, we need to define, and hopefully agree on, a few terms – Practices, Requirements, and Controls.
Practices and Requirements are the individual items to which you do or don’t comply. PCI DSS uses the term Requirements. CMMC uses the term Practices.
Controls should be reserved to mean the actual implementations of compliance Practices and Requirements. A control can implement one specific or several Requirements. As stated in my previous Aggregate Control Effectiveness post, "From our perspective, a control refers to anything technical or administrative that can detect, prevent, and/or limit an adversarial tactic or technique. The goal is to reduce the risk of loss events like ransomware or sensitive information exfiltration. Another way of putting it, a control is anything you have control over that improves cyber posture."
Our definition for Controls is consistent with the AICPA's SOC 2, which comes from COSO.
However, some compliance frameworks use the term Controls to mean Practices or Requirements. ISO 27001 and CIS Controls are examples. The former is a compliance framework of requirements, and the latter is a framework of prioritized best practices. Both are fine choices for driving a cybersecurity program. But Controls should be reserved for implementation, and Practices or Requirements used for objectives.
It is important to keep these definitions in mind for your cybersecurity program. Frameworks define the what (Practices / Requirements), but the how (Controls) is your decision. This distinction means that you have discretion when choosing controls.
Even a framework as prescriptive as PCI DSS gives you wide latitude when choosing controls. For example, firewalls are a requirement, but there are many vendors to choose from that have the features to enable you to meet the PCI DSS firewall requirements. Selecting the firewall with the most granular access control policy capabilities or the best threat prevention/detection features may not be the right decision if the cost of those firewalls squeezes out budget for other controls that are required and may have a bigger impact on overall cyber posture.
While determining individual control effectiveness is surely important, the control’s impact on overall cyber posture is critical when taking into consideration constraints on budgets and resources. So, in a sense, selecting controls with the goal of improving cyber posture is a budget allocation decision-making process.
This is where Monaco Risk comes in. We provide a risk-aware methodology that helps you make decisions on the mix of controls needed to meet compliance requirements that also improve cyber posture. After all, controls are how you mitigate the risks that you are not willing to avoid or accept at the current level, and cannot transfer.
We use a four-stage process that works standalone or integrated into an organization’s existing processes, as follows:
Identify and Triage the Loss Events that are of most concern to management. For example, ransomware and sensitive information disclosure are commonly top risks.
Model the threat scenarios using MITRE ATT&CK(TM) that most likely will lead to those loss events.
Model your current set of controls and calculate your current Aggregate Control Effectiveness.
Run what-if scenarios to analyze the impact of alternative controls on increasing Aggregate Control Effectiveness, thus improving cyber posture.
One final point about budgets. I’ve been in situations where an organization had a glaring issue that could only be addressed with additional budget. Our risk management process can be used to provide a degree of objectivity and documentation that may persuade management to approve the funds needed to address such an issue. If the funds are not approved, at least you provided management with the advice and documented the issue.
In the next article in this series we will dive deeper into examples, exploring several real-world scenarios. If you submit your email address below, we’ll email future articles on Aggregate Control Effectiveness and posts on other related topics. If you have questions or would like to discuss, please contact me via LinkedIn https://www.linkedin.com/in/riskpundit/ or use the contact form at the bottom of the Monaco Risk homepage https://www.monacorisk.com/