Visibility is context. Analytics combine context with events. Policy translates that into a ”plan of action implemented by controls. Another way to put it is “Given” a context, “When” an event occurs policy “Then” translates it into plan of action implemented by controls – the weird wording will become clearer soon.
Security policies are the requirements for cyber security systems. They can be implicit (defaults) or explicit. Like all good requirements they are defined by a group separate from the actual implementers. That causes the same disconnect between requirements (policies) and implementation that has plagued computer systems since the 60s. That gap is known to be the cause of most bugs in computer systems and probably holds true for security issues as well (just read Richards F. Smith’s testimony on the Equifax breach). To address the gap there have been repeated attempts to enable analysts to also be implementers, e.g. 4th generation languages and their current incarnation as “Low Code Platforms” are two examples. These approaches do have value but the vast majority of current systems (and for the foreseeable future) are not implemented that way.
A different approach is to enable analysts to define validations that requirements are actually being met. They don’t try to generate the implementation – instead they create an executable document that is used to define system validation. This technique is called Behavior Driven Development (BDD) – which is a way to build systems to ensure they fulfill their intended business purpose (aka fit-for-purpose). In this approach analysts use a DSL (Domain Specific Language – e.g. Given-When-Then) to describe system validations. Developers use those validations as guidelines on what to implement, and then as a way to validate the implemented system. Now reread the first paragraph to see how similar this approach is to policies.
This approach meshes well with modern DevOps approaches of test driven development. When applied to cyber security, BDD will enable CISOs to validate and enforce security policies that are actually implemented by the systems.