'Every time you try to manage risk by a checklist of [compliance] items there is a very real danger'' of overlooking other important issues, said Jack Jones, chief information security officer at Nationwide Insurance Co. in Columbus, Ohio. 'Checklists cast the world in black-and-white terms. They are valuable. But [by themselves] they don't allow organizations to take a good, rational and logical view of all the circumstances' that affect risk.
Those warnings come at a time when regulatory compliance requirements have made information security a topic of board-level discussion. The results of an annual global survey, released earlier this month by Ernst & Young, for instance, showed that compliance issues have replaced worms and viruses for the first time as the biggest driver of information security.
At a high level, regulations offer companies a set of guidelines that, in theory, constitute good security practices, Jones said. 'It's very hard to argue with concepts like 'least privilege,' and 'need-to-know' and 'defense-in-depth.' That's all in keeping with everybody's strategy of managing risk.'
Even so, problems arise when meeting compliance requirements becomes a company's sole security strategy, said Fred Trickey, information security administrator at Yeshiva University, in New York. 'Compliance is a measure of your security posture relative to the specific regulations you are looking at. In one sense, it is of value to the information security community because it does give external validation of the things you've been working on.'
But using compliance with a specific regulation as a measure of overall security is risky and can create a false sense of security, he said. 'It's very important that you don't lose sight of evolving threats, evolving risks and attack models. If you are entirely focused on regulations to the letter you will lose sight of that.'