Brainstorming for Optimal Cybersecurity Controls: Starting Stringent, Ending Strong

Cybersecurity is an ongoing battle, and it is crucial to craft the optimal set of controls for a winning strategy. Although the goal is to achieve maximum protection with minimal impact, aiming for optimal from the outset can lead to critical security measures being overlooked. To crack the code for a successful strategy, cybersecurity teams need to unleash the power of collaboration by brainstorming stringent controls first. Stringent controls are measures that, while secure, are excessively rigid. These controls often demand a high level of processing and engagement, frequently requiring continuous action from users to remain functional. While they may achieve their security aims, such controls can be overly burdensome and impractical for everyday use. In contrast, optimal controls strive to strike a balance between the highest level of security and user convenience, ensuring practicality in real-world scenarios.

Within the workforce of any enterprise, there is a wealth of accumulated knowledge about cybersecurity controls. Over time, a common understanding emerges regarding the most effective set of controls—the ones considered optimal for that particular enterprise. Challenging this established viewpoint can be a difficult feat. Consequently, crafting the ideal defense against ever-evolving cyberthreats requires a meticulous approach.¹

Brainstorming is the intellectual equivalent of sifting through a pile of unrefined ore. It is messy, it results in many rough ideas, and it might not yield immediate results.² But within that jumbled mess lies the potential for valuable discoveries. By exchanging a variety of thoughts, even seemingly far-fetched ones, teams expose their existing knowledge to new perspectives. Meticulously examining a broader set of stringent controls empowers teams to unearth hidden vulnerabilities and identify potential weaknesses.

This free flow of ideas allows connections to form in unexpected ways, unearthing insights that might otherwise remain hidden. Thus, brainstorming provides a mechanism by which teams can fertilize and prune the garden that is their current understanding. It allows teams to delve deeper, to consider a wider range of possibilities before settling on a course of action. This process ensures that teams do not miss crucial ideas and information that could enhance their defenses.

Imagine a gardener rigorously evaluating all the available plants before selecting the perfect ones for their garden. Similarly, a cybersecurity expert should not simply pick the supposedly optimal controls without considering alternatives. This pruning process involves discarding controls that might be redundant, excessive, or incompatible with the specific needs of the system. Open exploration minimizes the risk of overlooking a more effective solution buried within the vast array of possible cybersecurity controls.

However, taking the easy route and shutting down the brainstorming process too early can have dire consequences.³ Valuable information often takes time to surface, and by considering only readily available solutions, enterprises risk overlooking crucial details or innovative approaches. Brainstorming allows teams’ understanding to evolve, but it needs time and space to develop.⁴ Embracing the initial chaos allows teams to harvest a wealth of insights that would be overlooked with a closed mind and a quick-fix mentality.

For example, teams might overlook a control specifically designed to counter a newly discovered threat, leaving the enterprise vulnerable. Just as a gardener planting solely for aesthetics might miss out on a plant that thrives in a particular climate and provides valuable benefits, a cybersecurity expert focused solely on optimal controls might miss out on an effective defense for a specific situation.

Brainstorming with a stringent-first approach is a powerful strategy for arriving at a truly optimal cybersecurity control list.

The Perils of Starting at Optimal

Starting with a preconceived notion of optimal controls might mean focusing on readily deployable or cost-effective measures. Although these are important considerations, a narrow initial focus can result in blind spots. This oversight can lead to potential threats and vulnerabilities, including:

• Incomplete risk assessment—A flawed risk assessment can lead to gaps in the team’s understanding of the specific risk factors involved. Starting with a broad focus on stringent controls encourages a thorough risk assessment that considers diverse attack vectors and potential consequences. This comprehensive view allows controls to be tailored later, ensuring that they address the most critical threats.
• Neglect of unconventional threats—Cybercriminals are constantly innovating. A rigid list of optimal controls might miss emerging threats or those specific to an enterprise’s business or data. Brainstorming with a broader initial scope allows for consideration of less common but potentially devastating attack scenarios. A fourth-party (subcontractor) example may prove helpful here. A common scenario involves a third party with whom an enterprise collaborates that requires data such as invoices or other documents to be shared via a file-sharing platform. The potential risk stemming from these fourth parties is typically subject to thorough scrutiny only under a stringent regime.
• Underestimation of compliance requirements—Regulations and industry standards often mandate specific controls, and these can evolve over time. Focusing on optimal controls from the outset creates a risk of overlooking or misinterpreting the latest requirements. For example, the banking and finance industry has Know Your Customer (KYC) requirements that vary based on the product being serviced. Careful consideration should be given to the difference between minimum and full KYC requirements. Incorrect estimations can lead to sanctions on the organization itself. Stringent brainstorming ensures that compliance is considered up front, avoiding costly last-minute adjustments.
• Cybersecurity maturity gap—Reliance on optimal controls can lead to stagnation in the cybersecurity team’s capabilities. This, in turn, could leave the team unprepared to deal with evolving threats posed by new technologies. It is important to strike a balance, adhering to best practices while periodically revisiting controls to ensure that they remain adaptable and responsive to emerging challenges.

The Benefits of Stringent Brainstorming

Brainstorming with a stringent-first approach can help enterprises avoid the risk presented by an overreliance on optimal controls and unlock several advantages:

• Comprehensive risk identification—Beginning with a complete list of cybersecurity controls forces teams to consider every potential attack vector and encourages them to explore the full spectrum of available options. By working through this list, teams can assess the enterprise’s current security posture and identify weaknesses that can be addressed with modern advancements. Controls that were evaluated when new technologies were in their early stages may have matured and could even be industry best practices. Revisiting them ensures a more thorough risk identification and management process, leading to a more robust security posture.
• Prioritization through elimination—When faced with a comprehensive list of controls, brainstorming naturally leads to prioritization. As teams discuss and evaluate each control, they can eliminate those deemed excessive or impractical (e.g., requiring multifactor authentication [MFA] for websites that are accessible only on the enterprise network). This refinement process creates a more focused and effective list, streamlining implementation and ensuring that resources are directed toward the most impactful controls. By eliminating unnecessary measures, teams avoid the burden of managing an overly intricate and dated security posture.
• Flexibility and customization—By starting with a broad range of controls, teams have the flexibility to tailor them to the enterprise’s specific requirements. Advances in technology offer greater opportunities for customization (e.g., password policies, data retention policies, web traffic management, etc.), allowing an enterprise to achieve a balance between security and cost effectiveness. Stringent measures can be adapted to fit resource constraints and risk tolerance, ultimately leading to a set of controls that is robust, practical, and that meets the enterprise’s unique needs.
• Consensus and cultural alignment—Critical examination of a comprehensive list of controls allows teams to facilitate a productive dialogue among stakeholders. This exchange of viewpoints is instrumental in establishing a cybersecurity control baseline that seamlessly aligns with the organizational culture. Through these discussions, teams can determine whether the proposed controls can be implemented within the existing culture or whether adjustments are necessary for successful adoption.

The Brainstorming Process

After thoroughly examining the potential pitfalls of an optimal approach and the advantages of stringent measures, the crux of the matter lies in striking a balance that facilitates the enterprise’s ability to manage controls effectively while encouraging user compliance. By taking the following steps, an enterprise can leverage brainstorming to develop a robust cybersecurity control baseline:

1. Gather a diverse team—To ensure a well-rounded approach, assemble a diverse team comprising individuals from IT, security, legal, and other business units. By bringing together experts from various fields, teams can benefit from diverse perspectives and enriched discussions. For example, a security engineer might advocate for stringent email monitoring and data retention policies to enhance behavioral analytics. Meanwhile, legal counsel can provide invaluable guidance on data processing regulations and privacy concerns, helping to minimize compliance risk. This collaborative process not only expands the team’s knowledge base but also fosters a more thoughtful and informed approach among members who may have previously been unaware of certain requirements.
2. Identify critical assets—Begin by identifying the enterprise’s most valuable assets, such as sensitive data, critical systems, and intellectual property. This can be done through a combination of business impact analysis, risk assessment, and stakeholder input. Once the criticality of the assets has been established, prioritize controls around their protection.
3. Explore the risk landscape—Brainstorm potential risk factors and threats, considering both common attacks and those specific to the enterprise’s business or data holdings. The combined knowledge of a diverse team, coupled with an understanding of critical assets, would significantly help in a thorough exploration of the risk landscape. In addition to common risk scenarios such as distributed denial of service (DDoS) attacks and phishing scams, industry specific risk needs to be addressed. For example, an enterprise involved in manufacturing must take precautions to protect against attacks on its Supervisory Control and Data Acquisition (SCADA) systems and develop contingency plans for rapid component replacement to minimize downtime. System integrity is paramount to ensure that the manufactured product remains unaltered by malicious actors.
4. Brainstorm potential controls—Generate a comprehensive list of potential controls, regardless of feasibility or cost. A thorough inventory of controls can go far in building a bigger picture of an enterprise’s security posture. The involvement of a diverse team ensures that controls are aligned with the specific needs and responsibilities of different departments. Additionally, categorizing controls based on data type (e.g., financial, health) can facilitate compliance by making it easier to identify and justify their implementation.
5. Prioritize and refine—Carefully evaluate each control, considering its effectiveness, cost, and impact on business operations. Prioritize controls based on identified risk factors and threats. This stage is most important as it distinguishes between stringent and optimal measures. Additionally, it presents an opportunity to refine stringent controls into optimal ones and balance security and usability. For example, rather than implementing complex password requirements, one might adopt passkeys. In addition, MFA could be relaxed for a set duration on trusted devices, potentially in conjunction with geolocation data monitoring. Alternatively, when managing outbound emails with attachments sent to personal accounts, instead of mandating approval for all such communications, one could implement an automated scanning process. This system would allow for immediate transmission of emails found to be free of restricted data while flagging only those containing sensitive information for further review.
6. Map compliance—Ensure that the control list addresses relevant regulations and industry standards. For example, certain enterprises handling customer data may need to comply with the EU General Data Protection Regulation (GDPR) or other privacy laws. Those dealing with financial data may be subject to Payment Card Industry Data Security Standard (PCI DSS) requirements, particularly if they store cardholder information. While understanding relevant regulations is essential, accurately mapping them to specific controls can be a complex task. Enterprises with bring-your-own-device (BYOD) policies must be especially vigilant in implementing usage monitoring controls that respect individual privacy, or else they could be subjected to regulatory fines. 
7. Perform a cost-benefit analysis—Evaluate the cost of implementing each control against the potential benefit (reduced risk). Communicate the value of investment in these controls to nontechnical stakeholders. Refine the list based on cost-effectiveness. It is common for decision-making bodies, particularly those responsible for approving budgets or implementations, to be predominantly composed of non-technical leaders. These individuals often prioritize the potential return on investment for the enterprise. Clear communication and the ability to quantify outcomes are essential for gaining their support and ensuring successful implementation.

Conclusion

By starting with a comprehensive brainstorming session that considers stringent controls, cybersecurity teams gain a deeper understanding of the enterprise’s security posture and the threats it faces. Through an iterative refinement process, teams can arrive at a set of controls that are both optimal and effective, keeping the enterprise secure in the ever-evolving cyberthreat landscape. The time invested in exploring all possibilities up front is far less costly than the breaches that might occur due to a hastily chosen, suboptimal security posture. The best cybersecurity approach is a proactive one, and a well-brainstormed control list is a powerful foundation for a strong cybersecurity posture.

Endnotes

¹ McAllister, J.; “Cyber Intelligence and Critical Thinking,” SEI Blog, Carnegie Mellon Software Engineering Institute, 15 February 2016
² Gergersen, H.; “Better Brainstorming,” Harvard Business Review, March–April 2018
³ Coyne, K.P.; Coyne, S.T.; “Seven Steps to Better Brainstorming,” McKinsey Quarterly, 1 March 2011
⁴ IDEO U, “Brainstorming,” 

ABHISHEK KUSHWAHA | CISA, CDPSE, CISSP, CCSP

Is a Bengaluru-based cybersecurity professional with more than 10 years of experience and a proven track record of helping enterprises achieve and maintain compliance with critical security frameworks. His interests include security audits, risk assessments, and technology policy, and his expertise spans various compliance domains, including International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001, Payment Card Industry Data Security Standards (PCI DSS), and data privacy. Kushwaha possesses a deep understanding of cybersecurity frameworks, controls, and best practices