Controls Are Not the Enemy
They’re Some of Your Best Tools for Telemetry and Triage
Security compliance stinks.
Even at its best, compliance can be awkward, baroque, and theatrical. If left to fester, it can become a black hole of Anti-Business—ill-managed, unpredictable, and dictated by the whims of external auditors and regulators.
But what if I told you there is a better way?
What if controls aren’t meant to be papier-mâché process documents, good-intentioned but unenforceable mandates, or perfunctory checkboxes that we mark while rolling our eyes, impatient to return to real security work?
What if a control was just the atomic unit of asset state measurement?
What if controls provided useful, actionable information about your applications, infrastructure, and data's integrity and resiliency? What if what we call a “control” was really the measurement of our ability to maintain assets in a desired state over a period of time?
That sounds broader than “compliance” or “checkbox,” doesn’t it? That sounds like a business metric that could inform leadership decisions, guide staffing models, and promote rational investments to mitigate risk.
Compliance is not the end of that journey — or even the primary goal! But you could do worse than start with baseline-driven, machine-readable security controls mapped to satisfy your existing compliance requirements.
If we apply the same rigor to the design, implementation, and monitoring of those controls as we do the rest of our “real” operational security work, we have created a defensible, rational, and risk-based position for security compliance. That means fewer surprises during audit season, as well as more predictability in using Engineering time to mitigate control gaps.
Don’t overthink it! Start small, with a shortlist of pass/fail controls that are easily state-checked via automation.
Password controls are great for this purpose: Scan your sources of truth nightly, pull logs into a secure central (non-prod) location, and run a few simple Python scripts against the data. You’ve just created an automated control to monitor that critical business assets are in a desired state: password length, age, complexity, etc. Be sure to tighten up the access and change controls around your tooling and automation, as they should be audited too.
Now measure the time it took to build this solution and compare it against the time required annually to gather evidence and test those same controls. I think you’ll be pleasantly surprised. And you’ve taken your first step towards making your security controls work for you.
Compliance isn’t going away anytime soon. It’s time to embrace the challenge of integrating internal and external security standards into a set of controls that makes sense in a cloud-first, zero-trust, serverless world.
