On its face, the analysis of a key control indicator (KCI) can seem rather straightforward. Do you have confidence in the controls implemented to monitor your environment – are you “in control”?
You will have to answer two questions. First, do you have the controls you need? Second, are they working as intended? Unfortunately, the complexity of security organizations can make it difficult to answer these deceptively simple questions.
For example, you might implement a next generation firewall with a number of security features and opt to enable some of them later. Security operations happens, and your plan is once again overtaken by events (OBE’d) – and who has time to go back?
When it comes to KCIs, you need to plan, execute and monitor your control infrastructure in a managed way. But what is the best way to do that?
First, Examine Your Environment
Similar to key risk indicators (KRIs), it all begins with critical introspection. Where (or what) are your “crown jewels” that you need to protect? From there, what are the compliance/control boundaries?
Take the time to consider these two questions carefully, as the answers you provide – which will be unique to your organization – will change how you architect your environment, as well as how you protect it.
It is helpful to consider using asset classes of devices, networks, users, data and applications, and breaking each down into the cyber defense categories defined by the National Institute of Standards and Technology (NIST): identify, protect, detect, respond and recover.
This five-by-five grid will give you a solid foundation for
your defensive strategy.
Next, Anticipate Control Complexities
As a baseline, most organizations have policies in place to ensure compliance, procedures that enforce or put those policies into practice, and audits that confirm that those procedures are being followed. Again, as with the concept of the KCI itself, this can seem simple and linear.
In reality, the waters are easily muddied when you take the different variables into account.
You might perform an audit to confirm that all of your compliance boxes are checked appropriately. But, during the course of your business operations, you may have purchased many different systems and products to help prop up your security infrastructure. This can introduce a level of complexity that makes any measurement of what is actually going on quite difficult.
How can you tell what components are contributing to your compliance, what components are working well and what components should be removed from your security infrastructure?
Finally, Measure Control Indicators
When it comes to your controls, in order to have the right policy, procedure and audit processes in place, you need to have that higher-level, comprehensive understanding of your company’s security and compliance environments. This is particularly true, given the fact that often what you are doing in these cases is seeking to detect the unexpected – whether that is a misconfiguration or a security incident.
While often these adverse impacts are analyzed as performance indicators, they can also fall under the umbrella of your control indicators, in the event that a control that should have been in place was not.
By adopting a more measured and methodical approach to how you
form those control processes in the first place, the better you will be
able to understand your environment, remain in compliance and
protect what matters most.