The race toward compliance is 'not optimal'

More security managers find themselves running compliance programs rather than performing security and risk management.

Before IT systems were so heavily regulated by HIPAA, Sarbanes-Oxley, PCI DSS, and countless other state and industry mandates, security managers had to beg, borrow and steal the resources they needed to secure their systems. Then, as regulatory mandates and the need for compliance grew, security professionals had new leverage to use in their fight for budget.

It worked. Rather than asking for investments in security technologies to fight threats that may or may not appear, seeking budget for compliance with industry and government mandates actually got execs to loosen the corporate purse strings. The budget windfall was welcomed, but the dynamic of IT security with the business also was changed forever -- and some say not for the better.

Also see: "APT is the new PCI"

"Any decent-sized company is going to have a huge amount of its security investment wrapped up in achieving and maintaining compliance," says David Mortman, contributing analyst at the security market research firm Securosis. "But it's not optional. The plus side of the ledger is that it makes it easier for you to get budgeting. The con is that it's very easy to get your security program sucked into the compliance is the only thing you have to do mentality."

According to our tenth annual Global Information Security Survey, conducted by PricewaterhouseCoopers, many of the 12,052 business and technology execs surveyed reported that in their organizations, IT security spending is justified by legal and regulatory demands (39 percent). That led professional judgment (36.6 percent) and potential liability/exposure (33.5 percent). A surprising one in ten respondents said spending on security receives no justification at all.

What happens when the focus is shifted so heavily toward regulations and external compliance mandates? Rather than developing a solid security program that aims to reduce the actual likelihood of successful attacks, the risk management program slides into making sure checklists for compliance are completed and auditors are happy. "It's not like you have a choice about doing these things, but if compliance is your focus, you're likely not reducing your risk," says Mortman.

To continue reading this article register now

The 10 most powerful cybersecurity companies