The term “security control validation” is used frequently across frameworks, security vendors, and more. What does it mean to validate security controls? And why is it often easier said than done?
Security control validation is the process of testing individual controls or a set of controls to ensure they are effectively protecting against a variety of cyber risks. A classic example of security control validation is ensuring firewalls are implemented and that they prohibit malicious inbound web traffic.
Now, a firewall is just one control. The average security organization has a dozen or more technical controls — including endpoint protection, secure web gateways, identity and access management, anti-phishing technology, and more. That represents a small sample of all the many controls documented in NIST 800-53.
So much attention is given to which security products to purchase, but deploying and maintaining products are areas often overlooked and underinvested.
Security control validation helps to uncover three areas of risk:
Security control validation is typically a byproduct of point-in-time assessments: penetration tests, red teaming exercises, audits, and more. These exercises present a great option to understand how well security controls are working. Since these exercises are conducted with knowledge of the company’s network, they can be extensive and very productive. But, as these exercises are point-in-time, the validation of these controls can only carry so much weight.
Many technologies now claim to provide “continuous security control validation”, usually through an external lens that observes vulnerabilities, malware infections, application security, network security, and more. These platforms often require minimal work and overhead for security teams, presenting a good option to evaluate a certain subset of security controls.
However, since these platforms often lack the “inside-out” view, there are many security controls that can’t be validated properly. This could be due to either the controls — or the assets themselves — not being seen or assessed outside the network.
Like most things in security, having an accurate and up-to-date asset inventory allows for more accurate and comprehensive security control validation. Cybersecurity asset management platforms integrate with all your security controls, showing how they relate to all of your IT assets into one central view.
Furthermore, cybersecurity asset management not only validates whether security controls exist and are working correctly for all assets — it can also validate controls on a continuous basis.
Organizations looking for better security control validation should first ask whether they’re confident in their asset inventory. If the answer isn’t a resounding yes, cybersecurity asset management should be a prerequisite.
41 Madison Avenue, 37th Floor
New York, NY 10010