Our security and compliance program is heavily reliant on a "checkbox" mentality -- the security program is based almost entirely on the PCI DSS (that's what justifies the spending) and the compliance program is based on getting the assessor's stamp of approval, not having sound, constant risk management and data security controls. I feel like it's my responsibility to try to change this attitude, but as a security manager (below director-level), it seems impossible. Where can I start?
I'd actually argue that you shouldn't try to make your compliance program about security, and that a "checkbox" approach to compliance is actually the correct way to go. I know that sounds heretical, but when looking at security vs. compliance, I encourage organizations to treat each as separate functions that, while they have some overlapping controls, have completely different purposes.
Information security groups should have the confidentiality, integrity and availability of their organization's information and computing resources as their prime concern. This is where a risk-based approach comes into play. Security staff should always make decisions about controls based upon the organization's budget and risk appetite. Their bottom-line job is to ensure that the organization's security program is effective and efficient.
Compliance, on the other hand, is a completely different task. The goal of compliance programs is to satisfy externally imposed requirements that may or may not support an effective security program. The fact that a company has been deemed compliant does not guarantee that it is secure, and some obligations that it fulfills may not contribute anything to security. Compliance is something that companies do because they must, so a checkbox approach, in my mind, is appropriate.
Now, compliance and security tasks do overlap quite a bit. If your company has a well-defined and implemented security program, it should find that it already meets many of its compliance obligations as well. Companies can supplement this program with some "box checking" that ensures they are doing the things that others demand, in addition to those that they think are appropriate. So to be clear, while a checkbox security might not be a good idea, checkbox compliance is often the way to go.
This was first published in July 2012