If you’re trying to maintain a secure environment, then working through a checklist might seem a useful way of ensuring you’ve covered everything and are meeting compliance requirements. However, that kind of thinking can be dangerous.
Picture: Chip Somodevilla/Getty Images
Speaking at the at the Digital Security Summit in Canberra last week, security veteran Howard Schmidt (his resume includes a stint as the cyber-security advisor for the Obama and Bush administrations) argued that trying to stick too closely to compliance mandates was often counter-productive:
When people have a checklist, they will gravitate towards ‘What is the minimum thing I need to do to tick the box?’
Rather than focusing on individual compliance issues, Schmidt recommends looking at security at a more fundamental level: “By becoming secure, you become compliant.”
That said, Schmidt sympathises with the difficulty in ensuring sufficient funding for security initiatives. “We’re asking them to make an investment so something doesn’t happen, and it’s really difficult for CEOs and boards to get their head around that.” In that context, playing the compliance card is sometimes an effective if unfortunate compromise.