Information Security is like a Layered Cake


It is hard to deny the taste, texture and presentation of a great cake.  For many of us, cakes are associated with something special, or something to look forward to.  Cakes may take many different forms, from the most simple to the most complex.  You can make a cake from almost anything.  Your recipe can include chocolate, fruit, icing, candy, and the list goes on.  Cakes do not even have to be edible.  Children often make cakes with mud for fun and information security specialists make cakes with controls to keep corporate or institutional data safe.  Admittedly, perhaps making a control cake is not as much fun as making a mud cake, but all cake creators can be considered bakers in their own way.

Why the comparison of information security to a cake?  Well, people understand cakes.  The concept of separate layers of ingredients is easy to visualize or experience when presented with a cake.  Information Security has exactly the same paradigm.  The layers of ingredients are controls in an information security cake and each control “tastes” different.  Great information security, just like the wonderful cake flavours on your palette, can be created by combining multiple controls together.  Layers of information security controls are designed to be complimentary analogous to cake flavours.  Each control layer augments or supports the control layer adjacent to it.

Different layers of security controls address different types of business risk just like the tastes of the cake ingredients can stimulate different palette areas of your tongue.

Unfortunately business risks can leave a metaphorically bad taste in a corporate data owner’s mouth.  However, this can be remedied by a tasty information security control cake!  One of the finest information security cake recipes is the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework.  It is represented by the business centric control layers of:  Identify, Protect, Detect, Respond, and Recover.  These layers represent the framework that InvestorCOM applies to categorize its information security controls.

This business categorization of security controls is designed to represent a logical incident flow that illustrates the defensible actions necessary to thwart what is known in the security world as a “Cyber Kill Chain”.  An external threat source may exploit known or unknown vulnerabilities to breach corporate control defenses and present itself as a threat to the business.  This threat is a business risk that must be addressed when exposing corporate resources or services to either internal or external networks.  This is accomplished by applying controls covering the five security principles which are known as:  Availability, Reliability, Integrity, Confidentiality and Privacy.  Information security controls applied to inherent risks reduces business risk to a manageable amount that is acceptable to the corporation or institution.

NIST has provided corporations and institutions with a mapping that can combine one or more different information security control framework standards into a single overarching business framework for improving critical infrastructure cybersecurity.  The functions and categories within this framework are reportable and incorporate the five security principles above.

Each one of these cybersecurity function areas corresponds to a control category as shown in the Excel cake here.  It is hard to resist the cake paradigm! When security controls can be categorized and then mapped to a business centric function, their purpose can be better communicated and understood by every corporate employee.  The layering concept is instrumental in helping to organize the residual business risk. Common information security frameworks such as CCS CSC 5, ISO/IEC 27001:2013, COBIT 5, ISA62443-3-3:2013, NIST SP 800-53 Rev. 4, and others are mapped to the NIST Cybersecurity categories listed.


So the next time you think of information security, think of a layered cake!

For further information m, visit NIST’s Cybersecurity website: