A New Challenge
Maya arrived at NovaTech Corp on her first day as Information Security Analyst. The CISO handed her a folder and said, "We've had three incidents in the past quarter. We need a full review of our controls." Maya opened the folder and saw a mix of technical vulnerabilities, a physical break-in at a server room, and a policy violation by an employee. She smiled β she knew exactly where to start.
"Security risks exist in every environment," she told herself. "But so do controls. I just need to make sure we have the right ones in place."
Building the Foundation
Maya drew a diagram on her whiteboard. She grouped NovaTech's controls into four categories. First, Technical Controls: the firewall that guarded network traffic, the antivirus scanning endpoints, and the OS-level permissions. These were automated β they worked without any human pressing a button.
Second, Managerial Controls: the security policy document, the SOPs, the annual risk assessment process. "These are administrative," she explained to her colleague Diego. "They shape the design of everything else."
Third, Operational Controls: the security guards patrolling at night, the awareness training program every employee took. "Humans, not systems," she noted.
Finally, Physical Controls: the badge readers, the fences around the data center, the locked server racks. "If an attacker walks through the front door," she said, "all the firewalls in the world won't help."
βοΈ The Four Control Categories
- Technical β Firewalls, antivirus, OS controls (automated systems)
- Managerial β Security policies, SOPs, compliance requirements (administrative)
- Operational β Guards, awareness programs (implemented by people)
- Physical β Badge readers, fences, locks (limit physical access)
What Does Each Control Actually Do?
After categorizing the controls by how they're implemented, Maya mapped them by what they do. She identified seven types at NovaTech.
Preventive: The firewall rules blocking inbound connections. The locked door at the server room. "These say 'You shall not pass,'" she told Diego. They stop incidents before they start.
Deterrent: The warning signs near the data center, the splash screen on the HR system warning users their actions are monitored. "These make attackers think twice," she explained. "They don't directly block β they discourage."
Detective: The SIEM system collecting logs, the motion sensors in the server room, the login anomaly reports. "If something gets through, these tell us it happened."
Corrective: The backup system that let Maya restore data after last month's ransomware hit. The incident response playbook. "After detection, we correct," she said.
Compensating: A legacy system couldn't be patched, so Maya added a firewall rule to block exploits targeting it. "When you can't fix the real problem, compensate around it."
Directive: The "Authorized Personnel Only" signs. The clean-desk policy. The training module telling staff to store sensitive files in protected folders. "These guide behavior," she noted. "The weakest type β but still valuable."
Putting It All Together
By Friday, Maya had mapped every NovaTech control to its category and type. The firewall was both Technical and Preventive. The security guard was Operational and Deterrent (and also Detective β he could spot intruders). The backup system was Technical and Corrective.
"The key," she told the CISO, "is layering. No single control is enough. A determined attacker might bypass the fence, but then face badge readers, then cameras, then locked racks, then encryption." She paused. "Defense in depth."
The CISO nodded. "Same idea β different people call it different things. What matters is that every control fills a gap in the next one's defense."
Maya smiled. She had turned a folder of incidents into a clear, layered security architecture. And it all started with understanding the categories and types.