Are compliance checklists an effective way to improve cyber hygiene?

Security Frameworks (NIST, CIS, CSF)Governance, Risk & ComplianceRegulatory Compliance
815 views5 Comments
VP - Head of Information Technology in Software, 1,001 - 5,000 employees
The threat model is the important thing, especially in the security domain. When I think about SOX compliance, for example, I'm thinking about a threat model to finance: if you wanted to do something bad to our financials, what would you do? That's where the control should come from, not a bunch of checkboxes.

I hate compliance checkboxes, because you can have all the compliance in the world and still have bad security, although it's becoming more of an analytical framework than it used to be. Companies don't typically want to invest in good security, but if you had really good security, you could have good compliance as a by-product. The business will say, "Just tell me what it takes to check these boxes so we can sell this deal," and I have to explain that it would be the same amount of effort to actually do it well. Then the boxes will be checked and we can both sleep at night.
VP, Chief Security & Compliance Officer in Software, 1,001 - 5,000 employees
Hygiene is most important. One thing that we need to develop our resources on is the connection between the compliance check box and actual hygiene. Because CISOs that get it are tracking hygiene metrics. They know that you can't keep your team engaged and focus on security by design if you're just checking the box.
Director of IT in Software, 201 - 500 employees
It helps and can be a good starting point and used as guidance, but improving cyber hygiene should be continuous process.
It does not help if you rush to fix/get everything in order few weeks before the security assessment/audit so you can checkmark all the boxes and then leave it as is for the next assessment.
VP of IT in Media, 10,001+ employees
Yes , cookbooks make the best recipes
CIO in Education, 1,001 - 5,000 employees
They certainly are a good first place to start.

Content you might like

If you had a magic wand - what's the #1 daily business challenge you'd eliminate?

People & LeadershipStrategy & ArchitectureCloud+57 more
CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
142 19 Replies
Read More Comments
42.7k views132 Upvotes319 Comments

Do you have policy and procedure governing electronic communications, including chat channels/mechanisms such as We Chat or WhatsApp and Text messages given DOJ guidance to include third party messaging apps as an area to regulate? Are employees forbidden from using unapproved electronic communications channels or are you providing corporate accounts? Do you offer training? Do you monitor communications and audit compliance? Do employees acknowledge compliance with approved communication channels? What is retention period on communications?

Collaboration SolutionsData PrivacyRegulatory Compliance
422 views

Do you feel like security’s current role in your org’s generative AI initiatives is adequate? Or do you think the security team(s) should be more/less involved?

Artificial Intelligence & Machine Learning (AI/ML)Governance, Risk & ComplianceSecurity Strategy & Roadmap

Way more involved4%

Somewhat more involved51%

A bit more involved29%

Security’s current role is adequate11%

A bit less involved2%

Somewhat less involved0%

Way less involved1%


177 PARTICIPANTS
1.1k views

What are your thoughts on SaaS management platforms (SMP)?

People & LeadershipStrategy & ArchitectureCloud+87 more
2.5k views5 Upvotes

Are you confident in your org’s current guardrails/policies for generative AI?

Artificial Intelligence & Machine Learning (AI/ML)Governance, Risk & ComplianceSecurity Strategy & Roadmap

Completely confident – they’re as solid as possible11%

Sort of confident – policies seem adequate62%

Slightly confident – better than nothing19%

Not at all confident – we need to redo these4%

Unsure3%


199 PARTICIPANTS
915 views1 Comment