The race toward compliance is ‘not optimal’

Before IT systems were so heavily regulated by HIPAA, Sarbanes-Oxley, PCI DSS, and countless other state and industry mandates, security managers had to beg, borrow and steal the resources they needed to secure their systems. Then, as regulatory mandates and the need for compliance grew, security professionals had new leverage to use in their fight for budget.

It worked. Rather than asking for investments in security technologies to fight threats that may or may not appear, seeking budget for compliance with industry and government mandates actually got execs to loosen the corporate purse strings. The budget windfall was welcomed, but the dynamic of IT security with the business also was changed forever — and some say not for the better.

Also see: “APT is the new PCI”

“Any decent-sized company is going to have a huge amount of its security investment wrapped up in achieving and maintaining compliance,” says David Mortman, contributing analyst at the security market research firm Securosis. “But it’s not optional. The plus side of the ledger is that it makes it easier for you to get budgeting. The con is that it’s very easy to get your security program sucked into the compliance is the only thing you have to do mentality.”

According to our tenth annual Global Information Security Survey, conducted by PricewaterhouseCoopers, many of the 12,052 business and technology execs surveyed reported that in their organizations, IT security spending is justified by legal and regulatory demands (39 percent). That led professional judgment (36.6 percent) and potential liability/exposure (33.5 percent). A surprising one in ten respondents said spending on security receives no justification at all.

What happens when the focus is shifted so heavily toward regulations and external compliance mandates? Rather than developing a solid security program that aims to reduce the actual likelihood of successful attacks, the risk management program slides into making sure checklists for compliance are completed and auditors are happy. “It’s not like you have a choice about doing these things, but if compliance is your focus, you’re likely not reducing your risk,” says Mortman.

Few security professionals would argue against Mortman’s assertion. So why can’t, or haven’t, so many organizations broken away from the compliance mentality?

Also see: “Global infosec survey finds more talk – but not more action“

“I think that really is because many enterprises have simply not established the proper governance models within their organization and communicated it in more business- and risk management-related terms around information risk to the organization, and how security is an important part of how we mitigate that,” says Jay Leek, CISO at The Blackstone Group. “Many just don’t invest the time to really put together that overall business risk message.”

Without a solid way to demonstrate the level of technology risk a business faces, and the vulnerabilities of the organization to executives, compliance becomes the only way — the crutch — to argue for security spending. With that as the foundation, the security and risk management program essentially becomes a compliance program, with the focus on whether or not compliance is being met, rather than whether adequate levels of security are in place.”