Layers one through three all work together to equip the organization for success when sensitive activities are performed.

Beginning with an understanding of the different ways that things could go wrong, Layer 1 contains the documentation of Vectors and the corresponding Guidance that can help prevent negative outcomes.

Building upon Vectors, Threats are narrow and specific to a particular scenario. Those Threats document the justification for Controls, which provide clear objectives and requirements to guide actors in the mitigation of threats.

As the capstone to enable robust security implementation, Layer 3 prioritizes the Risks that an organization faces and outlines the Policies that are necessary to mitigate the most pressing opportunities for neglect, mistakes, and malicious activity.

When these three layers are coordinated in a streamlined fashion, they act as design requirements to accelerate and empower implementation activities.

However, the opposite is more often seen in reality: a failure to properly orchestrate definitions as part of the preparation and/or design requirements will inevitably result in compliance being segmented from security. Instead of using compliance activities as a strategic part of a larger initiative, compliance itself becomes the goal.

As Goodhart’s law teaches us: “When a measure becomes a target, it ceases to be a good measure.” If we mandate compliance for the sake of compliance, we reduce our own efficacy. For this reason, a deep understanding of reasoning behind these three layers is essential to ideal security outcomes.

Continue Reading