Controls are for Auditors, Processes are for Managers


Consider this, controls are for auditors, processes are for managers. As someone who has been issuing guidance and helping companies to improve upon their information security for the past 17 years I’ve concluded the industry approach to information security is too narrow. Often times tools are purchased as a reaction to the latest threat or worse, a socially cool trend. To truly operationalize security, information security practitioners, particularly leaders (CISO’s), must focus on how to manage the security program, both data security and cyber security, based on performance of processes. Let’s take the following excerpt described by IIA:

The Institute of Internal Auditors (IIA) defines control, the control environment, and control processes as follows: 

A control is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.

Control processes are the policies, procedures (both manual and automated), and activities that are part of a control framework, designed and operated to ensure that risks are contained within the level that an organization is willing to accept. Risk management is a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization’s objectives.

So how can you actually begin to measure your security program and operationalize performance based on process? First I would challenge you, as you may be challenging me in your mind right now thinking, “there are too many processes to manage effectively, controls are easier.” I would challenge any security program, in most use cases, to identify more than forty (40) processes. Yes, this includes regulations such as GLBA, HIPAA, PCI, FFIEC and frameworks like ISO27001 and NIST CSF.

Many of the regulatory controls and framework controls overlap considerably. If we raise our eyes from the rough outlining the fairway we can see the ball and the pin clearly. By taking an industry recognized IT Management and Governance framework like COBIT and marry it with a set of consolidated processes your life as a CISO or information security practitioner becomes easier. Easier because you have the ability to align the organizations objectives (the pin) with metrics related to the process to get the ball to the pin (the fairway). But it doesn’t end here. It’s about protecting the organization, I know I hear you and I’ve heard others. This is why we’ve automated this process with TrustMAPP.