Control is among the most common values and priorities within information security programs. The desire for control over organizational systems is so powerful that the word “controls” is used to describe the policies, processes, and technological tools that organizations use to create their cyber security infrastructures. Control security cultures seek to lock down as much as possible, everywhere possible, and continuously audit and test to make sure everyone is following the rules. Members of this culture tend to see risk as coming from giving people too much freedom to do things their own way. That’s why you tend to find Control security cultures in more conservative, bureaucratic industries with standardized processes and external regulations that govern their behavior.
What Is a Control Security Culture?
Control security cultures exhibit key traits from both the Process and Compliance security cultures within the Competing Security Cultures Framework. They seek to maximize stability, visibility, and repeatability throughout all information technology activities, regardless of whether they are internally facing (security policies and processes) or externally facing (audits and compliance). This is often because so much of the organization is regulated that it is difficult to separate specific functions for audit purposes (for example, by segregating systems that process credit card information, in the case of PCI DSS). It’s simpler to apply compliance requirements to everything. Sometimes Control security cultures develop out of organizational cultures that also value rigid rules and standards to deliver their products and services, including government and military organizations, manufacturing firms, and even large consulting companies.
If your organization has a Control security culture, you probably feel like you have little choice about how to do things in regard to your IT systems. There’s a right way, and everything else is the wrong way. If you try to do something differently, even if you think it’s an improvement, you are likely to run into trouble. Like Process security cultures, security is likely to be centralized and bureaucratic. Like Compliance security cultures, security frameworks, checklists, and audits are probably very common. Control cultures tend to worry, often with good reason, that any deviation from normal procedures could result in risks to the business. Control security cultures can experiment and innovate just like other organizations, but even this process will be tightly controlled and subject to defined chains of approval. The consequences of giving people too much freedom or trust are seen as outweighing the benefits.
Core Values, Strengths, and Weaknesses of Control Security Cultures
Control security cultures tend to value regimentation and enforcement across enterprise IT and information governance. Coordination is managed both inside the organization, between divisions and business units, as well as between the organization and external stakeholders including governments, regulators, partners, and customers. The security team’s job is to essentially make sure that everybody knows what they are required to do in any given situation and that they are prevented from doing anything else.
Control security cultures are often quite good at pushing systematic security practices across large numbers of people and activities, and then to regularly enforce and validate these practices and constraints through combinations of technology (automation) and process (audits). Their strengths like in their ability to both standardize security and to document and demonstrate their security practices to outside parties on demand. For highly regulated or competitive industries where room for error is small and the consequences of failure high, this represents good business practice.
Where Control security cultures demonstrate weaknesses or limitations is in their ability to be agile and dynamic. As the security bureaucracy becomes increasingly entrenched, standard ways of doing things can take on a life of their own. Resistance to change can become a problem, even when it becomes apparent that the old ways are no longer as suitable or efficient. They can develop the worst habits of both Process and Control security cultures, including bloated bureaucracies that impede efficiency, as well as checklist-driven operations that focuses more on implementing security controls frameworks than on building good security. In extreme cases, Control security cultures can become so brittle and inflexible that security risks actually increase.
Where Do You Find Control Cultures?
Control security cultures are among the most common cultural types for cyber security teams. This can be a good fit if the overall enterprise also values tight control over operations and activities. In fact, in such organizations, the Control security culture of the security team is probably simply a reflection of how the organization does business everywhere. But Control security cultures can also develop independently, even inside organizations that are more open and autonomous. Sometimes, it is precisely this freedom and independence among internal stakeholders and users that convinces a security team that a Control security culture is necessary. In such cases, cultural conflicts and competition around security can grow as other parts of the organization balk at having traditional freedoms, choices, and authority taken away.
Military and Defense – military and defense organizations are among the most regimented and controlled cultures you can find. Procedures are standardized and continuously drilled and practiced. Rigid chains of command combine with highly modular systems that contribute to overall mission accomplishment under a variety of circumstances.
Manufacturing – few industries have as much experience in standardizing and controlling their operational processes as manufacturing. Add to this the need to adhere to laws and regulations covering everything from workplace safety to product quality, and manufacturing companies rely on tight standards enforced by regular audits, a natural fit for Control security cultures.
Healthcare – another highly regulated industry, healthcare has pioneered checklists and controls for quality assurance in medical service delivery. But medicine is also a discipline that values scientific rigor and control as a foundation of practice. The result is a model for how discipline and control brings value and benefits to those served by these organizations.
Banking and Finance – financial organizations must plug seamlessly into a global, interoperable economic system that is highly regulated and regularly tested and audited. The result is a culture of interlocking standards for information flows and processing that demands conformity and commitment to shared rules and values. Financial institutions are also built to last, and some banks are centuries old. Stable, repeatable cultures enable values to be passed between organizational “generations,” both for business and increasingly for technology and security priorities.