One of the things that I wanted to follow up on from yesterdays post is in regards to controls implementation. In my model there are three key teams (Threat Response, Security Management and Risk and Compliance). These three teams are the basis of the Risk Management model that I use. Within the Security Management team we have the function of controls implementation. That is comprised from a couple of things. First, the designing of a control based on the threat that the Threat Response team has come up with. Second the telemetry in demonstrating the need of that control and lastly the implementation of that control.
It's the implementation of a control that is where we need to focus a bit. The implementation of a control should not denote that InfoSec is the owner of that control. In many cases, we are implementing a control inside a process that someone else owns. Such as review gates inside a project management, change management or SDLC process. This is important due to the fact that InfoSec will never have enough people to staff up for ownership of all controls that are needed. Also, the operational and culture change advantages of those other teams owning them are huge and lost if InfoSec "white knuckles" the controls themselves.
If InfoSec is accountable for security and can't own the labor to manage all of the controls then how can this be done? This brings us to the importance of metrics. The need for metrics, good metrics, is to identify if the controls implemented are working as expected or desired. The process is that InfoSec implements the control and, over the course of a year or two, slowly backs out of the day to day function. This is to implement, harden the process, implement metrics and educate the true owners of the control. Once the metrics are in place, then InfoSec can implement a Flow Management where they manage the metrics to determine if any of the controls are going in the wrong direction. If they are trending into an undesirable direction, InfoSec has the ability to come back in and command and control the situation to fix it.
With this process, InfoSec can apply its labor to those controls that need to be implemented or need to be fixed. In addition, it places the ownership of the controls on those who truly own it as well as drives the culture change where they are accountable for security as well.