Our security and compliance program is heavily reliant on a "checkbox" mentality -- the security program is based...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
almost entirely on the PCI DSS (that's what justifies the spending) and the compliance program is based on getting the assessor's stamp of approval, not having sound, constant risk management and data security controls. I feel like it's my responsibility to try to change this attitude, but as a security manager (below director-level), it seems impossible. Where can I start?
Ask the Expert
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
I'd actually argue that you shouldn't try to make your compliance program about security, and that a "checkbox" approach to compliance is actually the correct way to go. I know that sounds heretical, but when looking at security vs. compliance, I encourage organizations to treat each as separate functions that, while they have some overlapping controls, have completely different purposes.
Information security groups should have the confidentiality, integrity and availability of their organization's information and computing resources as their prime concern. This is where a risk-based approach comes into play. Security staff should always make decisions about controls based upon the organization's budget and risk appetite. Their bottom-line job is to ensure that the organization's security program is effective and efficient.
From the Editor: More on security vs. compliance
Expert Ernie Hayden recently answered a similar question on security vs. compliance -- Information security program development: Security vs. compliance
Compliance, on the other hand, is a completely different task. The goal of compliance programs is to satisfy externally imposed requirements that may or may not support an effective security program. The fact that a company has been deemed compliant does not guarantee that it is secure, and some obligations that it fulfills may not contribute anything to security. Compliance is something that companies do because they must, so a checkbox approach, in my mind, is appropriate.
Now, compliance and security tasks do overlap quite a bit. If your company has a well-defined and implemented security program, it should find that it already meets many of its compliance obligations as well. Companies can supplement this program with some "box checking" that ensures they are doing the things that others demand, in addition to those that they think are appropriate. So to be clear, while a checkbox security might not be a good idea, checkbox compliance is often the way to go.
Dig Deeper on IT Security Audits
Related Q&A from Mike Chapple
Encrypting data going to the cloud is a security best practice, but does it add extra challenges for regulators that might need to access the data? ...continue reading
Merchants that sell at off-site venues need to take extra care to follow PCI compliance standards. Expert Mike Chapple discusses how organizations ...continue reading
The FTC's order for PCI DSS compliance assessments is odd since PCI isn't a government regulation. Expert Mike Chapple explains the motivation ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.