Random thoughts: security controls and the effectiveness
Recently I have been traveling in parts of Europe, both in EU and non-EU countries, and certainly noticed the different security controls and variations at airports and entries.
This makes me wonder, in the practices of information security, do we really know the actual effectiveness of various types of controls, be it access, physical, logical, layered, etc., etc.? Are some of the security controls deployed just to meet the regulatory requirements, to make us feel secure, or to have a job security / CYA, or what?
Re: Random thoughts: security controls and the effectiveness
I presently work at a University, and I've noticed that physical security is treated lightly at most levels --- from entering the campus main gates, where the security guards won't bother to check if you're an employee / student, to entering the IT office, which doesn't even have a physical Access Control system! (I've conveyed the risk of this to management multiple times.)
On the other hand, the regulatory authority is more concerned about the cyber-security threats, and provides us with the controls to apply for this. The last time they did this was in May, and just last week they asked us to update them on our compliance status. (I provided the requirements to our team)
In this situation, management asked me about the Cyber-security controls --- rather than the physical controls.
In this scenario, we see CYA followed at multiple levels: -
I respond to ALL the risks I perceive, providing management with an analysis, recommendations & treatment options.
Management treats SOME of the risks, prioritizing controls required for regulatory compliance.
(This is a government-funded educational institution; of course, things may differ at private organizations)
... This makes me wonder, in the practices of information security, do we really know the actual effectiveness of various types of controls, be it access, physical, logical, layered, etc., etc.? ...
For some controls, yes, for others, maybe not. The whole reason the CIS Top 20 exists to to advise folks on prioritizing their security controls implementation (translation: budgeting for) based on getting the highest level of effectiveness for the investment.