Digital Transformation
Showing results for 
Search instead for 
Did you mean: 

The essentials of IT security controls: How do you measure up?



IT security is one of the top concerns of any organization. If it isn't a top priority of yours, it should be. Reports of security breaches risking the reputations of countless enterprises and putting millions of consumers' data at risk are becoming a weekly occurrence. Target, Sony, VTech—even Kaspersky—were all breached in 2015. Regardless of your organization's size, you must have essential security measures in place to prevent breaches and protect two of your organization's critical assets: data and infrastructure.

These essential security measures include assessing associated risks, developing an information security plan to mitigate risks, implementing security controls, monitoring and testing security controls, and continuously updating the risk assessment, mitigation strategy, and controls.

The CISO’s role

According to Hewlett Packard Enterprise Security, today's CISO is facing growing complexity and business disruption, as well as "increasingly motivated, knowledgeable, and evolving adversaries that seek to steal or disrupt access to data." The CISO is responsible for ensuring that the security measures implemented are governed by organizational policies and practices. Because all staff need to be educated on IT security, the CISO must also enforce compliance across the organization with an information security awareness program. Designate one or more individuals as information security officers for this task—they should be responsible for running the security program and reporting its status to senior management.

The CISO's plan for enforcing security controls should focus on three critical elements. The first is people: this covers communicating with senior management, assigning roles and responsibilities, committing resources, training critical personnel, and accepting personal accountability. The second element is technology which includes, acquiring up-to-date solutions in all layers of infrastructure, firewalls, intrusion detection systems, remote access controls, backup systems, and the latest antivirus software and patch management plans. The final element is operations, which covers the activities required to sustain an organization's security measures on a daily basis, including policies, risk assessments, vulnerability reviews, process controls, and incident response plans. To be successful, a CISO needs:

  • Security policies, procedures, and controls consistent with the organization's culture
  • Clear support and commitment from the organization's top management
  • A deep understanding of security requirements and risk management
  • Complete implementation and testing of security controls
  • Policy and standards distribution, training, and education for all stakeholders

Selecting security controls

The selection and specification of controls is accomplished as part of an organization-wide risk management and information security plan, and is typically dependent on risk mitigation objectives balanced against implementation cost. This process can be simplified by asking yourself what controls are needed to protect the organization's information. This may include an inventory of all devices and software being used by staff (authorized and unauthorized), application software security, malware defenses, and wireless access control. To help make this assessment, consider what IT trends trigger the most risk to your organization—what Hewlett Packard Enterprise Security calls "an enterprise-wide view of risk."

You'll also need to assess whether your IT staff is experienced enough to follow the proposed controls, and if the controls are even realistic. CIOs and CISOs have learned the hard way that staff have a way of finding workarounds for security controls that affect them directly, such as with BYOD. In a zero trust security model, companies analyze employee access and internal network traffic, and grant minimal employee access privileges.

Lastly, how will the security controls fit within the existing infrastructure, and will you need to upgrade or modernize to support the new controls? Many factors will influence the selection process, including a risk-based cost/benefit analysis, ease of use, transparency, compatibility, and integration.

Measuring security controls

Metrics, while important, mean different things to different audiences. For some audiences, interpreting security data is like reading a foreign language. According to Matt Kesner, CIO at Fenwick & West, "Modern security systems do not report metrics in a way that seems meaningful to most business people." To be truly valuable to an enterprise, metrics need to be translatable to executives, who are making the tough decisions about security. A data sheet may be valuable to a security pro, but an executive is looking for clear evidence in business terms. Common IT security controls that should be measured include average time to respond, patch latency, incident response volume, and false positive reporting.

Be sure to monitor the effectiveness of your controls on actual people, starting with your staff. Have they been compliant with your controls? If not, why? Did the security training you provided have an impact? Don't underestimate the human element. Keep in mind that it's people, not data, behind breaches.

To learn more about providing resources to minimize security risks to your business, read the recent Cyber Security Research Report.

Ahmed Banafa .jpg

Ahmed Banafa has extensive experience in IT operations and management, as well as a research background in analysis of new technology trends.

0 Kudos
About the Author


Jan 30-31, 2018
Expert Days - 2018
Visit this forum and get the schedules for online HPE Expert Days where you can talk to HPE product experts, R&D and support team members and get answ...
Read more
See posts for dates
HPE Webinars - 2018
Find out about this year's live broadcasts and on-demand webinars.
Read more
View all