Security Control Validation at the ISF Orange Chapter
Security Control Validation at the ISF Orange Chapter
On September 3rd 2025, I had the opportunity to speak at the ISF Orange Chapter Fall Meeting in Utrecht. The event brought together a wide range of professionals working to improve how we manage information security in practice.
My talk focused on a topic that often sits between disciplines — security control validation.
Security teams invest significant time and resources into deploying controls. But without structured validation, it’s difficult to determine whether those controls are truly working as intended. Compliance, monitoring, and testing each provide a part of the picture, but they don’t answer the full question: How well does this control perform in the real world?
In the session, we discussed:
- Why compliance doesn’t equal protection
- How technical and organizational controls fail in different ways
- What silent control failure looks like
- What evidence based validation looks like in practice
- How to build a lean and repeatable validation practice
This wasn’t a theoretical conversation. The aim was to show how small steps focused on risk, data, and outcome can lead to much stronger assurance over time.
If you attended and want to learn more, or if this subject is relevant to your role, I’m currently publishing a series of articles on security control validation. The first post is available here:
Thanks to the ISF team for hosting, and to everyone who joined the discussion.