manually chasing security teams for evidence of control operation and effectiveness. This organizational behavior is caused primarily by misaligned financial and behavioral incentives, complicated by the sheer amount of work performed by both compliance and security teams. An underlying reason is that security control operators are incentivized to keep the business and related customer data secure. Being nice or effectively communicating with the compliance team is not a managed behavior or a goal that appears on annual performance reviews for the security team.
By comparison, the compliance team has the goal of maintaining and attesting to the compliance of the organization in the face of a potentially sprawling number of contractual, legal, and regulatory requirements, many of which carry consequences for non-compliance. The compliance team is often dependent on the security team for evidence of compliance, and, similar to the security team’s annual performance review forms, effective and friendly inter-departmental communications aren’t measured goals. This has led to the current and unfortunate perspective that the security team sees the compliance team as a nuisance that distracts or prevents them from doing their job. This can be particularly pronounced when an organization is undergoing an external audit or an investigation, which is already stressful for a compliance team.
Additionally, while many companies have formalized their commitment to
risk management, they’re not measuring the effectiveness of the controls in mitigating risks. In today’s difficult economic climate, an inability to measure the control effectiveness makes it challenging to justify which controls are worth the cost or effort. This is not the fault of cybersecurity vendors, either. While many cybersecurity vendors care about an organization using their solution, this interest is primarily driven by the commercial concern of Net Revenue Retention (NRR), not how effectively their solution reduces the unique risks faced by the organization.
4 Easy Steps to Determine Which Controls Are Effectively Mitigating Risks and Identify Outliers
Step 1: Conduct a Gap Analysis
Like many projects in security and compliance, the first activity is to conduct a gap analysis. In this case, organizations begin by mapping their existing controls to their documented risks. In this analysis, all controls should have one or more linked risks. Any controls that do not initially appear to map to a risk should be set aside for further analysis, which we’ll describe in detail later in this article. During this initial step, organizations should also avoid estimating control effectiveness – rather, this is about building a consolidated inventory of controls and their related risks.
Step 2: Automate Evidence Collection
The next step is to automate as much evidence collection as feasible. While this may not seem like an initially obvious action — after all, the