A security control is a safeguard or measure used to prevent, detect, correct, or otherwise reduce security risk.
A security control is a safeguard used to protect systems, data, and operations. In plain language, it is something an organization puts in place to reduce the chance of a security problem, limit the damage if one occurs, or improve detection and response when issues arise.
Security controls matter because cybersecurity is not only a set of goals or policies. Organizations need real measures that change system behavior, user behavior, or operational visibility. Without controls, principles such as confidentiality, least privilege, or defense in depth remain ideas rather than protections.
Controls also matter because they create structure for security programs. Teams can ask whether a control is preventive, detective, corrective, or compensating, whether it is strong enough for the risk involved, and whether it is actually being used consistently across the environment.
The term appears in compliance frameworks, audit findings, architecture reviews, access design, vulnerability response, and incident response planning. Controls can include technical measures such as Multi-Factor Authentication, operational measures such as privileged-access review, and resilience measures such as tested backups.
Security teams also use the idea of controls when communicating with leadership. Rather than describing every product detail, they explain what controls exist, what gap remains, and what new control is needed to reduce a given Risk.
A company wants to reduce the risk of unauthorized administrator access. It introduces stronger authentication for admin accounts, limits standing privileges, records high-risk admin actions, and requires periodic access review. Each of those measures is a security control, and together they form a more complete defense.
A security control is not always a software product. Policies, review processes, approval workflows, and backup procedures can all be controls when they meaningfully reduce risk.
It is also a mistake to assume any control is automatically effective. A control must be appropriate to the threat and actually used in practice. A written rule that no one follows is not a strong control, even if it looks good on paper.