Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

4/18/2013
07:50 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Can We Cease Check-Box Compliance?

Some indicators show a transition to risk-based management driving security decisions, but compliance checklists still pay the infosec bills

For years now, security insiders have railed against the check-box compliance ethos, warning enterprises that simply chasing after regulatory lists won't ever fully address the risks facing their organizations. While there are some early indicators that show that this message may be finally gaining acceptance among tech and line-of-business executives, security experts say the transition to risk-based decision-making is still a long way off.

"Compliance is no longer the driver for IT risk and security. Compliance is just one of many risk domains to be addressed in a mature risk management program and approach," Gartner analyst Paul Proctor recently wrote about the issue. "Too often organizations still treat compliance activities as a check-box exercise with little regard for the related risks they are intended to address."

[How well do you normalize data for risk management? See Does Your Security Data Mesh With Risk Metrics?.]

Which is a shame, considering that even the mandates themselves are starting to transition away from the check-box mentality. Many regulations today are no longer simply laundry lists of controls, but rather mandates for risk assessments and controls based on those assessments, says Proctor, who says organizations have not kept pace with that evolution.

But that could well be changing. A recent report out by Wisegate showed that among the group's membership of CISOs, these executives are increasingly responsible for risk management and privacy policy on top of information security. The results show that security officers do understand that the governance, risk and compliance acronym is GRC, not GCR. To many of them, risk management trumps compliance on the priority scale.

The difficulty, of course, is that this awareness for risk-based security decision-making has not necessarily pushed its way to the top of the food chain. A recent survey out by 451 Research showed that compliance still overwhelmingly decides information security buying decisions. It's not really a surprise considering that regulations like SOX have such a high level of visibility within the executive suite, says Daniel Kennedy, research director for the firm.

"If these issues find their way to the board of directors or CEO’s desk a few times, that gives a person auditing IT systems and processes a very large stick with which to influence project direction," he says. "That said, does this approach ensure that the right security projects are being implemented, based on actual organizational risk?"

That answer is likely no, says Brian Christensen, head of global internal audit for Protiviti, who points out that one of the dangers of engaging in a check-box mentality is the static nature of the lists that organizations use to make those check marks.

"When people have a check-box mentality, they don't have a broader awareness of the environment and the changes that are ongoing," Christensen says. "And that's a critical component, particularly in the IT area. Whether it is dealing with new cyber attacks or changes in technology that makes things obsolete at a very fast pace, the ability to have conversations around that (risk) both from a business-process owner standpoint and from an auditor standpoint is a leading standard by which we would expect organizations to abide by."

He agrees that the industry is at the beginning of a gradual transition away from check-box compliance. But how close it is from that proverbial tipping point is still up for debate. One thing is for sure, he says, and that is that the rate at which the transition tips will depend largely upon how quickly security industry leaders update their people skills.

"They have to be advocates with persuasive skills in communicating the current state, a future state and what steps are necessary so that you aren't' stuck reviewing a checklist and coming back two years later and recognizing that checklist is obsolete," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DanMill1
50%
50%
DanMill1,
User Rank: Apprentice
4/24/2013 | 3:35:44 AM
re: Can We Cease Check-Box Compliance?
Hi Everyone,

I'm a student at the University of Advancing technology and found the article well worth the read, in addition to being completely relevant to my current course, Federal INFOSEC Standards & Regulations. -There are regulatory standards like, PCI and NERC-CIP for example, that an organization wouldn't be able ignore in favor of taking a risk based approach. With that being said, wouldn't a risk based approach effectively yield a the checks required in the compliance boxes?
Ericka Chickowski
50%
50%
Ericka Chickowski,
User Rank: Moderator
4/22/2013 | 4:23:56 PM
re: Can We Cease Check-Box Compliance?
Good point. And I do think that this is why a lot of the regulations are leaning towards regulating the process rather than the specific controls or-technologies. Then, of course, you get a lot of people complaining that the regulations are too vague. It's an interesting dynamic.

-Ericka Chickowski, Contributing Writer, Dark Reading
Ericka Chickowski
50%
50%
Ericka Chickowski,
User Rank: Moderator
4/22/2013 | 4:21:55 PM
re: Can We Cease Check-Box Compliance?
Yes, I'd say most sources would agree that compliance is the qualifier--table stakes, if you will. Some might flip your last statement around, though: Start with security excellence and end up compliant (or close enough to walk it into the endzone) from that point.

-Ericka Chickowski, Contributing Writer, Dark Reading
InfoSecurityMaster
50%
50%
InfoSecurityMaster,
User Rank: Strategist
4/19/2013 | 5:01:59 PM
re: Can We Cease Check-Box Compliance?
If the practices aren't in place, no technology is going to protect you. I heard one "Industry Leader" say more or less to dump compliance and take the money saved to spend on "real security". Needless to say, if the techies/technologies were doing their jobs (protecting) competently, compliance wouldn't be necessary. Compliance is just the qualifier - it says you might be good enough to get in the race (maybe even pole position). It doesn't unfortunately guarantee that your engine wont blow. You start with compliance and build excellence from that point.
McDaveX
50%
50%
McDaveX,
User Rank: Strategist
4/19/2013 | 4:26:23 PM
re: Can We Cease Check-Box Compliance?
No, we can't.
However, what we *can* do is lobby that the checkboxes to be ticked require proof of best practice, so as to make compliance an incentive to do it right, rather than cheap.
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
10 Notable Security Acquisitions of 2019 (So Far)
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12865
PUBLISHED: 2019-06-17
In radare2 through 3.5.1, cmd_mount in libr/core/cmd_mount.c has a double free for the ms command.
CVE-2017-10720
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi name. This application is installed o...
CVE-2017-10721
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the device has Telnet functionality enabled by default. This device acts as an Endoscope camera that allows its users to use it in various industrial systems and settings, car ga...
CVE-2017-10722
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi password. This application is install...
CVE-2017-10723
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that an attacker connected to the device Wi-Fi SSID can exploit a memory corruption issue and execute remote code on the device. This device acts as an Endoscope camera that allows it...