Shifting from compliance-based IT security to a risk-based model

IT security leaders discuss how and why organizations should make the change


In the ever evolving threat landscape that is IT security, some security executives have become so focused on taking an approach that meets compliance requirements that their attention has become diverted away from some of the actual risks facing their respective organizations. Obviously complying with rules and regulations set forth is important, but some organizations are making it the primary guiding principle of their security program.

Wisegate, a membership body for senior IT professionals, recently polled security executives across a variety of industries to get their advice on how their peers can make the shift from a compliance-based security model to one that is more risk-based. Among those members asked about the top factors influencing their information security/risk management program, 73 percent said that compliance requirements were the primary driver. Other responses included:

  • General threat landscape facing the business, technology and employees – 47 percent
  • It is the right thing to do/we prefer to initiate change rather than react to events – 47 percent
  • A recent security “close call” without external reporting requirements – 21 percent
  • Recent security incident requiring external notification – 15 percent

According to Wisegate members, compliance should become just one factor in the organization’s risk management program and that security managers should start thinking in terms of acceptable risk rather than meeting compliance requirements that can simply be marked off on a checklist.

“If you’re focusing just on compliance, you will never be 100 percent compliant. You’ll just never accomplish that,” explained Candy Alexander, CSO for Long Term Care Partners, an insurance company for federal employees. “The technology environment changes daily. A lot of organizations when they setup a compliance program, they will set a goal of 100 percent; that’s not going to happen, so be realistic there. If you focused on simply being compliant, you will never be 100 percent secure. You will never protect your environment 100 percent. With that being said, if you shift that focus to a risk perspective, you’re going to protect your environment and you will be compliant because compliance is just a factor in that risk profile.”

According to Randall Gamby, a founding member of Wisegate who serves as information security officer at the Medicaid Information Service Center of New York, one of the fundamental errors that many people make is thinking that compliance is an “end state” for their security program.

“People think if I have a HIPAA requirement and I meet those HIPAA controls then I have no other security issues that I need to address. The reality is that all compliance (frameworks), whether they are industry compliance requirements, federal or even international requirements, all of these are baseline standards and you have to think of compliance as the basement of where your security starts,” he said. “You have to make sure that you secure the compliance stuff and then you have to look at the other information that doesn’t fall underneath the regulation so you can secure that as well.”

Gamby added that there has been a change within the information security community in that more security mangers now view things from the overall business perspective, rather than just their individual silo.

“Originally, the goal of information security was to protect IT services and it was plain black and white. Can I do this, yes or no?” Gamby said. “What people started to realize was that the security office ended up being more of a roadblock to the growth of the organization rather than a proponent of the business values and direction that things had to go to. CISOs (chief information security officers) and ISOs (information security officers) have had to actually change their thought process. The question is not yes or no; the question is what is the business value that applies to this?”

This content continues onto the next page...