Q

Security vs. compliance: Moving beyond a 'checkbox security' mentality

Mike Chapple discusses the compliance vs. security challenge and why a "checkbox security" mentality may actually be a good thing.

Our security and compliance program is heavily reliant on a "checkbox" mentality -- the security program is based

almost entirely on the PCI DSS (that's what justifies the spending) and the compliance program is based on getting the assessor's stamp of approval, not having sound, constant risk management and data security controls. I feel like it's my responsibility to try to change this attitude, but as a security manager (below director-level), it seems impossible. Where can I start?

Ask the Expert

Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

I'd actually argue that you shouldn't try to make your compliance program about security, and that a "checkbox" approach to compliance is actually the correct way to go. I know that sounds heretical, but when looking at security vs. compliance, I encourage organizations to treat each as separate functions that, while they have some overlapping controls, have completely different purposes.

Information security groups should have the confidentiality, integrity and availability of their organization's information and computing resources as their prime concern. This is where a risk-based approach comes into play. Security staff should always make decisions about controls based upon the organization's budget and risk appetite. Their bottom-line job is to ensure that the organization's security program is effective and efficient.

From the Editor: More on security vs. compliance

Expert Ernie Hayden recently answered a similar question on security vs. compliance -- Information security program development: Security vs. compliance

Compliance, on the other hand, is a completely different task. The goal of compliance programs is to satisfy externally imposed requirements that may or may not support an effective security program. The fact that a company has been deemed compliant does not guarantee that it is secure, and some obligations that it fulfills may not contribute anything to security. Compliance is something that companies do because they must, so a checkbox approach, in my mind, is appropriate.

Now, compliance and security tasks do overlap quite a bit. If your company has a well-defined and implemented security program, it should find that it already meets many of its compliance obligations as well. Companies can supplement this program with some "box checking" that ensures they are doing the things that others demand, in addition to those that they think are appropriate. So to be clear, while a checkbox security might not be a good idea, checkbox compliance is often the way to go.

This was first published in July 2012

Dig deeper on IT Security Audits

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close