Can We Cease Check-Box Compliance?

Some indicators show a transition to risk-based management driving security decisions, but compliance checklists still pay the infosec bills

For years now, security insiders have railed against the check-box compliance ethos, warning enterprises that simply chasing after regulatory lists won't ever fully address the risks facing their organizations. While there are some early indicators that show that this message may be finally gaining acceptance among tech and line-of-business executives, security experts say the transition to risk-based decision-making is still a long way off.

"Compliance is no longer the driver for IT risk and security. Compliance is just one of many risk domains to be addressed in a mature risk management program and approach," Gartner analyst Paul Proctor recently wrote about the issue. "Too often organizations still treat compliance activities as a check-box exercise with little regard for the related risks they are intended to address."

[How well do you normalize data for risk management? See Does Your Security Data Mesh With Risk Metrics?.]

Which is a shame, considering that even the mandates themselves are starting to transition away from the check-box mentality. Many regulations today are no longer simply laundry lists of controls, but rather mandates for risk assessments and controls based on those assessments, says Proctor, who says organizations have not kept pace with that evolution.

But that could well be changing. A recent report out by Wisegate showed that among the group's membership of CISOs, these executives are increasingly responsible for risk management and privacy policy on top of information security. The results show that security officers do understand that the governance, risk and compliance acronym is GRC, not GCR. To many of them, risk management trumps compliance on the priority scale.

The difficulty, of course, is that this awareness for risk-based security decision-making has not necessarily pushed its way to the top of the food chain. A recent survey out by 451 Research showed that compliance still overwhelmingly decides information security buying decisions. It's not really a surprise considering that regulations like SOX have such a high level of visibility within the executive suite, says Daniel Kennedy, research director for the firm.

"If these issues find their way to the board of directors or CEO’s desk a few times, that gives a person auditing IT systems and processes a very large stick with which to influence project direction," he says. "That said, does this approach ensure that the right security projects are being implemented, based on actual organizational risk?"

That answer is likely no, says Brian Christensen, head of global internal audit for Protiviti, who points out that one of the dangers of engaging in a check-box mentality is the static nature of the lists that organizations use to make those check marks.

"When people have a check-box mentality, they don't have a broader awareness of the environment and the changes that are ongoing," Christensen says. "And that's a critical component, particularly in the IT area. Whether it is dealing with new cyber attacks or changes in technology that makes things obsolete at a very fast pace, the ability to have conversations around that (risk) both from a business-process owner standpoint and from an auditor standpoint is a leading standard by which we would expect organizations to abide by."

He agrees that the industry is at the beginning of a gradual transition away from check-box compliance. But how close it is from that proverbial tipping point is still up for debate. One thing is for sure, he says, and that is that the rate at which the transition tips will depend largely upon how quickly security industry leaders update their people skills.

"They have to be advocates with persuasive skills in communicating the current state, a future state and what steps are necessary so that you aren't' stuck reviewing a checklist and coming back two years later and recognizing that checklist is obsolete," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Ericka Chickowski, Contributing Writer

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights