Are compliance checklists an effective way to improve cyber hygiene?

815 views5 Comments

VP - Head of Information Technology in Software, 1,001 - 5,000 employees
The threat model is the important thing, especially in the security domain. When I think about SOX compliance, for example, I'm thinking about a threat model to finance: if you wanted to do something bad to our financials, what would you do? That's where the control should come from, not a bunch of checkboxes.

I hate compliance checkboxes, because you can have all the compliance in the world and still have bad security, although it's becoming more of an analytical framework than it used to be. Companies don't typically want to invest in good security, but if you had really good security, you could have good compliance as a by-product. The business will say, "Just tell me what it takes to check these boxes so we can sell this deal," and I have to explain that it would be the same amount of effort to actually do it well. Then the boxes will be checked and we can both sleep at night.
VP, Chief Security & Compliance Officer in Software, 1,001 - 5,000 employees
Hygiene is most important. One thing that we need to develop our resources on is the connection between the compliance check box and actual hygiene. Because CISOs that get it are tracking hygiene metrics. They know that you can't keep your team engaged and focus on security by design if you're just checking the box.
Director of IT in Software, 201 - 500 employees
It helps and can be a good starting point and used as guidance, but improving cyber hygiene should be continuous process.
It does not help if you rush to fix/get everything in order few weeks before the security assessment/audit so you can checkmark all the boxes and then leave it as is for the next assessment.
VP of IT in Media, 10,001+ employees
Yes , cookbooks make the best recipes
CIO in Education, 1,001 - 5,000 employees
They certainly are a good first place to start.

Content you might like

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
42.7k views132 Upvotes319 Comments

Way more involved4%

Somewhat more involved51%

A bit more involved29%

Security’s current role is adequate11%

A bit less involved2%

Somewhat less involved0%

Way less involved1%



Completely confident – they’re as solid as possible11%

Sort of confident – policies seem adequate62%

Slightly confident – better than nothing19%

Not at all confident – we need to redo these4%



915 views1 Comment