Our security and compliance program is heavily reliant on a "checkbox" mentality -- the security program is based...
almost entirely on the PCI DSS (that's what justifies the spending) and the compliance program is based on getting the assessor's stamp of approval, not having sound, constant risk management and data security controls. I feel like it's my responsibility to try to change this attitude, but as a security manager (below director-level), it seems impossible. Where can I start?
Ask the Expert
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
I'd actually argue that you shouldn't try to make your compliance program about security, and that a "checkbox" approach to compliance is actually the correct way to go. I know that sounds heretical, but when looking at security vs. compliance, I encourage organizations to treat each as separate functions that, while they have some overlapping controls, have completely different purposes.
Information security groups should have the confidentiality, integrity and availability of their organization's information and computing resources as their prime concern. This is where a risk-based approach comes into play. Security staff should always make decisions about controls based upon the organization's budget and risk appetite. Their bottom-line job is to ensure that the organization's security program is effective and efficient.
From the Editor: More on security vs. compliance
Expert Ernie Hayden recently answered a similar question on security vs. compliance -- Information security program development: Security vs. compliance
Compliance, on the other hand, is a completely different task. The goal of compliance programs is to satisfy externally imposed requirements that may or may not support an effective security program. The fact that a company has been deemed compliant does not guarantee that it is secure, and some obligations that it fulfills may not contribute anything to security. Compliance is something that companies do because they must, so a checkbox approach, in my mind, is appropriate.
Now, compliance and security tasks do overlap quite a bit. If your company has a well-defined and implemented security program, it should find that it already meets many of its compliance obligations as well. Companies can supplement this program with some "box checking" that ensures they are doing the things that others demand, in addition to those that they think are appropriate. So to be clear, while a checkbox security might not be a good idea, checkbox compliance is often the way to go.
Dig Deeper on IT Security Audits
Related Q&A from Mike Chapple
Vulnerability scanning tools are necessary to be fully compliant with PCI DSS, but the tools need to come from a PCI DSS Approved Scanning Vendor. ...continue reading
Healthcare clearinghouses like Mass HIway are a new trend in health IT, but what are the security implications? Expert Mike Chapple explains what you...continue reading
The FFIEC Cybersecurity Assessment Tool has faced harsh criticism since its 2015 release. Expert Mike Chapple reviews the tool and how it can be ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.