IT security: Can we be compliant and yet insecure?

How to go beyond regulatory checklists.

Measure to Your New List

Now that you have this new list of requirements that has all the redundancy removed and the ambiguity cleared up you have a baseline from which to measure your existing controls. Conduct your gap analysis against this new target list of requirements.

Identify Deficiencies

As with any audit or assessment, the gap analysis against your target list of requirements will likely yield some places where your controls are deficient. Make a list of those deficiencies, and that list becomes your action list for remediation. If you are smart, you will assign resources and costs to those action items to help you budget.

Track Progress

Use that list of deficiencies to track progress on closing the gaps and report the progress so you can show how much more compliant you are than when you started and to show the return on investment for those projects.

That all sounds a little complicated, but believe me when I tell you it's easier than the way we've all been doing it with multi-layered spreadsheets and counting on our fingers and toes. There are some solutions out there that automate this process. Make sure you select one that creates your own unique compliance target and does not force you to adapt to a single, best practice or standard because one size does not fit all.

So, can we be compliant and yet insecure? Yes we can, especially if we try to link each control with a single regulatory requirement, one at a time. We may be able to achieve compliance with a single regulation that way, but we may be leaving the back door wide open.

Bill Sieglein is founder and executive director of the CSO Breakfast Club. His background includes work in the US intelligence community and a stint as CSO of the Public Company Accounting Oversight Board (PCAOB).

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags data protection

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bill Sieglein

Latest Videos

More videos

Blog Posts