"Compliance is no longer the driver for IT risk and security. Compliance is just one of many risk domains to be addressed in a mature risk management program and approach," Gartner analyst Paul Proctor recently wrote about the issue. "Too often organizations still treat compliance activities as a check-box exercise with little regard for the related risks they are intended to address."
[How well do you normalize data for risk management? See Does Your Security Data Mesh With Risk Metrics?.]
Which is a shame, considering that even the mandates themselves are starting to transition away from the check-box mentality. Many regulations today are no longer simply laundry lists of controls, but rather mandates for risk assessments and controls based on those assessments, says Proctor, who says organizations have not kept pace with that evolution.
The difficulty, of course, is that this awareness for risk-based security decision-making has not necessarily pushed its way to the top of the food chain. A recent survey out by 451 Research showed that compliance still overwhelmingly decides information security buying decisions. It's not really a surprise considering that regulations like SOX have such a high level of visibility within the executive suite, says Daniel Kennedy, research director for the firm.
"If these issues find their way to the board of directors or CEO’s desk a few times, that gives a person auditing IT systems and processes a very large stick with which to influence project direction," he says. "That said, does this approach ensure that the right security projects are being implemented, based on actual organizational risk?"
That answer is likely no, says Brian Christensen, head of global internal audit for Protiviti, who points out that one of the dangers of engaging in a check-box mentality is the static nature of the lists that organizations use to make those check marks.
"When people have a check-box mentality, they don't have a broader awareness of the environment and the changes that are ongoing," Christensen says. "And that's a critical component, particularly in the IT area. Whether it is dealing with new cyber attacks or changes in technology that makes things obsolete at a very fast pace, the ability to have conversations around that (risk) both from a business-process owner standpoint and from an auditor standpoint is a leading standard by which we would expect organizations to abide by."
He agrees that the industry is at the beginning of a gradual transition away from check-box compliance. But how close it is from that proverbial tipping point is still up for debate. One thing is for sure, he says, and that is that the rate at which the transition tips will depend largely upon how quickly security industry leaders update their people skills.
"They have to be advocates with persuasive skills in communicating the current state, a future state and what steps are necessary so that you aren't' stuck reviewing a checklist and coming back two years later and recognizing that checklist is obsolete," he says.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.