IT security managers too focused on compliance, experts say

'Check-the-box' mentality is causing companies, government agencies to overlook growing cuberthreats

SAN FRANCISCO -- Companies with IT security strategies that focus mostly on complying with key standards are dangerously unprepared for emerging cyber threats, said security experts at the RSA Conference 2013 here this week.

Over the past few years, the security strategies of many companies and government agencies have centered around meeting the requirements of Sarbanes-Oxley, Health Information Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standards (PCI DSS), Federal Information Security Management Act (FISMA) and other government and industry standards.

Experts say that meeting such standards is important, but they should be used as baseline controls in a broader IT security strategy.

"The audit industry has become a monster," said Anup Ghosh, founder of security firm Invincea.

"Keeping those guys at bay" has become a full-time job in many IT security organizations, he said. "A lot of compliance regimens have been all about checking boxes and following processes."

Most of the standards call on companies to implement a fairly minimal set of security controls, Ghosh said. Nonetheless, he added, the task makes up the bulk of security budgets at many companies.

"If all you are doing is meeting an audit need, you are not focusing on what the threats are. We've got to get away from compliance driven security to threat-based security," Ghosh said.

Compliance requirements are often static and prescriptive, according to security executives. Compliance gives organizations a way to measure the outcome of security efforts, though the measurements can be misleading and provide only a one-time snapshot.

For instance, security experts maintain that organizations can be fully compliant with a specific standard, but still lack protection from multiple threats.

Critics cite the efforts of federal agencies over the past decade to implement FISMA requirements and pass compliance audits. The FISMA standards, while well intentioned, have become mostly an exercise in paperwork by agencies whose primary goal is compliance rather than security, they argue.

Increasingly, information security is about situational awareness, said Stephen Trilling, chief technology officer at Symantec. It is about understanding all potential threats and making sure IT security can respond to any that comes up.

"A lot of companies have compliance without actually doing the work," Trilling said. "You can always do the minimum to check a box," but that's not enough to ensure that a company or government agency can ward off cyberattacks, he said.

Trilling noted that the latest cyberattacks are highly targeted and carried out by persistent and sophisticated adversaries.

Traditional signature-based security tools cannot protect against somewhat unique, auto generated malware that's becoming widely used by cybercriminals. "Now you have millions of threats, each of which is one or two or three machines," Trilling said.

IT security personnel must therefore look beyond compliance-driven security models to deal with these threats, he said.

"I've lived through an earthquake, so I have a visceral sense for why you need earthquake insurance," Trilling said. IT security managers must have that same sense when it comes to information security, he added.

"Companies that have experienced attacks don't have that sense so they have been doing what they need to do to check the box," Trilling said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingConfiguration / maintenancesecurityNonehardware systemsData Center

More about RSASymantecTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place