Look at your whole organization as a single system, a black box, and threat model it in order to understand what controls are needed and where they need to be placed. Bonus output is a clear architectural knowledge of the organization.
It’s about having different controls supporting each other on each different layer. If one layer deploys a detective or preventive control, the next layer should have a response control that can take on the issues that were not caught in the previous layer. Each layer must have at least one detective and one preventive control checking each other.
Key preventive and reactive controls should interact as partners, specially if deployed in the same layer. This will help create a bigger and harder response when needed, and add to the ability to pass that response to the next layer.
Controls must be constantly monitored for effectiveness. Aside from a dashboard or logs indicating what the controls are detecting or preventing, there is a need to create an effectiveness monitoring dashboard, displaying whether controls are working as expected, and whether the current threat landscape has changed enough to make those controls ineffective.
Each control output should inform other controls, making them smarter and able to detect and prevent more attacks. This is a good way to create a signal that can propagate faster and farther along all layers, acting as an early warning message that all controls should pay attention. Some controls should be smart, while some can remain passive and dumb, however, the latter must learn from the former.