Security vs. compliance: Moving beyond a 'checkbox security' mentality


Security vs. compliance: Moving beyond a 'checkbox security' mentality

Our security and compliance program is heavily reliant on a "checkbox" mentality -- the security program is based almost entirely on the PCI DSS (that's what justifies the spending) and the compliance program is based on getting the assessor's stamp of approval, not having sound, constant risk management and data security controls. I feel like it's my responsibility to try to change this attitude, but as a security manager (below director-level), it seems impossible. Where can I start?

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Safe Harbor

I'd actually argue that you shouldn't try to make your compliance program about security, and that a "checkbox" approach to compliance is actually the correct way to go. I know that sounds heretical, but when looking at security vs. compliance, I encourage organizations to treat each as separate functions that, while they have some overlapping controls, have completely different purposes.

Information security groups should have the confidentiality, integrity and availability of their organization's information and computing resources as their prime concern. This is where a risk-based approach comes into play. Security staff should always make decisions about controls based upon the organization's budget and risk appetite. Their bottom-line job is to ensure that the organization's security program is effective and efficient.

Compliance, on the other hand, is a completely different task. The goal of compliance programs is to satisfy externally imposed requirements that may or may not support an effective security program. The fact that a company has been deemed compliant does not guarantee that it is secure, and some obligations that it fulfills may not contribute anything to security. Compliance is something that companies do because they must, so a checkbox approach, in my mind, is appropriate.

Now, compliance and security tasks do overlap quite a bit. If your company has a well-defined and implemented security program, it should find that it already meets many of its compliance obligations as well. Companies can supplement this program with some "box checking" that ensures they are doing the things that others demand, in addition to those that they think are appropriate. So to be clear, while a checkbox security might not be a good idea, checkbox compliance is often the way to go.

This was first published in July 2012