“By simply trying to keep up with individual compliance requirements, organizations become rule followers, rather than risk leaders,” said John A. Wheeler, research director at Gartner. “CIOs must stop being rule followers who allow compliance to dominate business decision making and become risk leaders who proactively address the most severe threats to their enterprises.”
The problem is that compliance is a legal and/or regulatory requirement, while security is not. The implication, and sometimes the direct assertion, is that if a company is compliant, it will be secure. The ensuing danger is that companies can engage in a check-box compliance process and assume that in doing so they are automatically becoming secure. There are many reasons why this is not necessarily true.
“Organizations must change this reactive, check-the-box mindset and start viewing compliance as a risk,” said Wheeler. His view is that in a risk-based approach to security, compliance is provided by security – security is not necessarily provided by compliance.
The solution, and one that will be discussed at the Gartner Security & Risk Management Summits in Sydney and London, is that compliance should be treated as one of the risks within an overall risk management approach to security. It doesn't make compliance go away, but it ensures that it is given its rightful position as a part of, and not a substitute for, security.
Indeed, this is one of the prime conclusions of Gartner's research document 'Compliance Is No Longer a Primary Driver for IT Risk and Security' published last month: "Compliance should be treated as a domain of risk within a formal risk management program and should not be allowed to dominate decision making."
In reality, this move from compliance-based to risk-based security (including compliance) already seems to be evolving in the larger enterprises. Wisegate is a community of senior IT personnel. Its members periodically engage in internal roundtable discussions on important issues, where they share knowledge and experiences – and publish the results.
One recent report was on this very subject: 'Moving From Compliance to Risk-Based Security: CISOs Reveal Practical Tips'. It echoes Gartner almost to the letter: "Even in a risk-based program, compliance doesn’t go away entirely. The regulations are still there, but department heads and managers have to start thinking in terms of acceptable risk levels versus compliance requirements to mark off a checklist. It's a change in language, and the moment when everyone understands the difference is an 'ahha!' moment for the entire organization."