Information Security departments are spending increasing amounts, and contributing more resources to standards compliance & security controls, and yet there are no guarantees on being safe and secure. So, the FUD being out there remains. The Fear is real supported by stories told, true or not. Uncertainty is a given for nothing really is ever certain enough. Doubt…? Although I dislike the marketing phrase “it’s not a matter of if you are hacked, but when” to scare our stakeholders, I have to admit this just is the case. Nowadays with all our online services, in cloud stored data, BYOD and what more, it is just a matter of when will it hit your organisation. So, we have to ask ourselves is the organisation protected and compliant where it should be?
The purpose of security is of course to avoid business disruption and ensure there is a robust, fit-for-purpose, business enabling and end-to-end solution. Being compliant is not the main goal and should not be the top priority. Also, because most of the standards are considered best-practice but are not tailored to the organisation or are incomplete. In the standards, we find a variety of controls to be implemented, some standards have a big overlap, others may focus a bit more in specific areas.
Yet just becoming compliant to one such standard, more or all, may still leave gaps in the solutions we provide to the stakeholders. Another We need to have a more profound/clear/strong view on the security solutions we need to avoid the business disruption.
We can achieve this by using an architected approach towards the necessary controls. The SABSA Multi-Tiered Control Strategy, is about following an engineered approach when conducting risk assessments.
Engineers use their knowledge of science, mathematics, logic, economics, and appropriate experience or tactical knowledge to find suitable solutions to a problem. In Information Security, this is no different. We use our knowledge of logic, economics, politics, appropriate experience, business strategy and existing solutions to find and build the suitable security solutions to the security problems to support and enable the business.
Using our extensive security knowledge, best practice, years of experience and such when conducting risk assessments, we should be able to identify all the elements of the risks in their context and determine what type of controls would fit best and where. It is at this point where we can also look at the necessary compliance requirements to match and select the appropriate controls in a proportional manner, integrating with existing solutions inside the organisation.
This defence-in-depth approach avoids concentrating only on limited best practices by using a more holistic approach for selecting capabilities to avoid business disruption.