Home

Are compliance checklists an effective way to improve cyber hygiene?

The threat model is the important thing, especially in the security domain. When I think about SOX compliance, for example, I'm thinking about a threat model to finance: if you wanted to do something bad to our financials, what would you do? That's where the control should come from, not a bunch of checkboxes. I hate compliance checkboxes, because you can have all the compliance in the world and still have bad security, although it's becoming more of an analytical framework than it used to be. Companies don't typically want to invest in good security, but if you had really good security, you could have good compliance as a by-product. The business will say, "Just tell me what it takes to check these boxes so we can sell this deal," and I have to explain that it would be the same amount of effort to actually do it well. Then the boxes will be checked and we can both sleep at night.

Anonymous Author
The threat model is the important thing, especially in the security domain. When I think about SOX compliance, for example, I'm thinking about a threat model to finance: if you wanted to do something bad to our financials, what would you do? That's where the control should come from, not a bunch of checkboxes. I hate compliance checkboxes, because you can have all the compliance in the world and still have bad security, although it's becoming more of an analytical framework than it used to be. Companies don't typically want to invest in good security, but if you had really good security, you could have good compliance as a by-product. The business will say, "Just tell me what it takes to check these boxes so we can sell this deal," and I have to explain that it would be the same amount of effort to actually do it well. Then the boxes will be checked and we can both sleep at night.
0 upvotes
Anonymous Author
Hygiene is most important. One thing that we need to develop our resources on is the connection between the compliance check box and actual hygiene. Because CISOs that get it are tracking hygiene metrics. They know that you can't keep your team engaged and focus on security by design if you're just checking the box.
0 upvotes
Anonymous Author
It helps and can be a good starting point and used as guidance, but improving cyber hygiene should be continuous process. It does not help if you rush to fix/get everything in order few weeks before the security assessment/audit so you can checkmark all the boxes and then leave it as is for the next assessment.
0 upvotes
Anonymous Author
Yes , cookbooks make the best recipes
0 upvotes
Anonymous Author
They certainly are a good first place to start.
0 upvotes