Let’s build on the harmonized combination of an organization’s risk manager and control framework described in my last blog post. Risk managers can use security controls to implement processes to limit the vulnerabilities, risks, and threats that abound in the physical and cyber space. In this blog post, I’ll define the strategic plan of the implementation of such a systematic approach.
A singular vision of the end goal must be in place for any plan of action to be effective. A plan of control and measurement should define risk mitigation and provide evidence that security controls are in place. In the security world, there are two popular approaches: the fox and the hedgehog. Where a “hedgehog” approach tends to take a singular view of security, the “fox” will review security situations from multiple perspectives. The strategic planning work of Isaiah Berlin, for example, follows the hedgehog style.
In order to develop policy ideas into a singular vision, try implementing a document framework. I prefer to utilize a three-tiered framework based on:
Start with a singular “control” and a single document that details the information security policy which defines that security control. Next, document the details of how to implement that control. Ensure you take into account multiple cybersecurity approaches and concepts such as access control and data protection for a multi-layered, defense-in-depth methodology. By taking a single idea and approaching it from multiple views, the “fox” style comes back into play.
Many organizations implement multiple security standards and controls. The CIS Controls, for example, provide 20 security best practices. Each best practice has its own connotations for implementing and measuring compliance to a specific task.
Implement controls by breaking the standards down further into a procedure. In most cases, each security procedure you plan should have a singular implementation strategy and control. Role-based Access Control (RBAC) is one popular and effective way to implement controls, ensuring that only authorized individuals can access control systems. RBAC is based on the user’s role within the organization to implement specific security controls.
It’s interesting to note that one must play both roles – hedgehog and fox – at particular points throughout cybersecurity assessment and audits. The hedgehog approach comes into play when working with a singular vision and “the one important thing” (a particular security control). However, the multitude of ways to implement a particular control requires a multi-disciplined fox approach. Put simply, to achieve the singular you must know and understand multiple concepts. Both approaches are required to build a strong cyber defense.