Risk // Compliance
4/18/2013
07:50 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Can We Cease Check-Box Compliance?

Some indicators show a transition to risk-based management driving security decisions, but compliance checklists still pay the infosec bills

For years now, security insiders have railed against the check-box compliance ethos, warning enterprises that simply chasing after regulatory lists won't ever fully address the risks facing their organizations. While there are some early indicators that show that this message may be finally gaining acceptance among tech and line-of-business executives, security experts say the transition to risk-based decision-making is still a long way off.

"Compliance is no longer the driver for IT risk and security. Compliance is just one of many risk domains to be addressed in a mature risk management program and approach," Gartner analyst Paul Proctor recently wrote about the issue. "Too often organizations still treat compliance activities as a check-box exercise with little regard for the related risks they are intended to address."

[How well do you normalize data for risk management? See Does Your Security Data Mesh With Risk Metrics?.]

Which is a shame, considering that even the mandates themselves are starting to transition away from the check-box mentality. Many regulations today are no longer simply laundry lists of controls, but rather mandates for risk assessments and controls based on those assessments, says Proctor, who says organizations have not kept pace with that evolution.

But that could well be changing. A recent report out by Wisegate showed that among the group's membership of CISOs, these executives are increasingly responsible for risk management and privacy policy on top of information security. The results show that security officers do understand that the governance, risk and compliance acronym is GRC, not GCR. To many of them, risk management trumps compliance on the priority scale.

The difficulty, of course, is that this awareness for risk-based security decision-making has not necessarily pushed its way to the top of the food chain. A recent survey out by 451 Research showed that compliance still overwhelmingly decides information security buying decisions. It's not really a surprise considering that regulations like SOX have such a high level of visibility within the executive suite, says Daniel Kennedy, research director for the firm.

"If these issues find their way to the board of directors or CEO’s desk a few times, that gives a person auditing IT systems and processes a very large stick with which to influence project direction," he says. "That said, does this approach ensure that the right security projects are being implemented, based on actual organizational risk?"

That answer is likely no, says Brian Christensen, head of global internal audit for Protiviti, who points out that one of the dangers of engaging in a check-box mentality is the static nature of the lists that organizations use to make those check marks.

"When people have a check-box mentality, they don't have a broader awareness of the environment and the changes that are ongoing," Christensen says. "And that's a critical component, particularly in the IT area. Whether it is dealing with new cyber attacks or changes in technology that makes things obsolete at a very fast pace, the ability to have conversations around that (risk) both from a business-process owner standpoint and from an auditor standpoint is a leading standard by which we would expect organizations to abide by."

He agrees that the industry is at the beginning of a gradual transition away from check-box compliance. But how close it is from that proverbial tipping point is still up for debate. One thing is for sure, he says, and that is that the rate at which the transition tips will depend largely upon how quickly security industry leaders update their people skills.

"They have to be advocates with persuasive skills in communicating the current state, a future state and what steps are necessary so that you aren't' stuck reviewing a checklist and coming back two years later and recognizing that checklist is obsolete," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DanMill1
50%
50%
DanMill1,
User Rank: Apprentice
4/24/2013 | 3:35:44 AM
re: Can We Cease Check-Box Compliance?
Hi Everyone,

I'm a student at the University of Advancing technology and found the article well worth the read, in addition to being completely relevant to my current course, Federal INFOSEC Standards & Regulations. -There are regulatory standards like, PCI and NERC-CIP for example, that an organization wouldn't be able ignore in favor of taking a risk based approach. With that being said, wouldn't a risk based approach effectively yield a the checks required in the compliance boxes?
Ericka Chickowski
50%
50%
Ericka Chickowski,
User Rank: Moderator
4/22/2013 | 4:23:56 PM
re: Can We Cease Check-Box Compliance?
Good point. And I do think that this is why a lot of the regulations are leaning towards regulating the process rather than the specific controls or-technologies. Then, of course, you get a lot of people complaining that the regulations are too vague. It's an interesting dynamic.

-Ericka Chickowski, Contributing Writer, Dark Reading
Ericka Chickowski
50%
50%
Ericka Chickowski,
User Rank: Moderator
4/22/2013 | 4:21:55 PM
re: Can We Cease Check-Box Compliance?
Yes, I'd say most sources would agree that compliance is the qualifier--table stakes, if you will. Some might flip your last statement around, though: Start with security excellence and end up compliant (or close enough to walk it into the endzone) from that point.

-Ericka Chickowski, Contributing Writer, Dark Reading
InfoSecurityMaster
50%
50%
InfoSecurityMaster,
User Rank: Guru
4/19/2013 | 5:01:59 PM
re: Can We Cease Check-Box Compliance?
If the practices aren't in place, no technology is going to protect you. I heard one "Industry Leader" say more or less to dump compliance and take the money saved to spend on "real security". Needless to say, if the techies/technologies were doing their jobs (protecting) competently, compliance wouldn't be necessary. Compliance is just the qualifier - it says you might be good enough to get in the race (maybe even pole position). It doesn't unfortunately guarantee that your engine wont blow. You start with compliance and build excellence from that point.
McDaveX
50%
50%
McDaveX,
User Rank: Strategist
4/19/2013 | 4:26:23 PM
re: Can We Cease Check-Box Compliance?
No, we can't.
However, what we *can* do is lobby that the checkboxes to be ticked require proof of best practice, so as to make compliance an incentive to do it right, rather than cheap.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Join Dark Reading community editor Marilyn Cohodas and her guest, David Shearer, (ISC)2 Chief Executive Officer, as they discuss issues that keep IT security professionals up at night, including results from the recent 2016 Black Hat Attendee Survey.