Is it murder if the victim is already dead?By Mike Rothman
Sometimes seeing what you have known for years in print is helpful, even comforting. So Gartner’s Paul Proctor writing about killing compliance in cold blood is good. Paul has a bigger megaphone than the rest of us, so maybe folks will start getting on board with doing security (or risk, depending on your vernacular) and stop worrying so much about the checklists.
Compliance is no longer the driver for IT risk and security. Compliance is just one of many risk domains to be addressed in a mature risk management program and approach.
Recently the security hyperbole trifecta (APT/advanced malware, BYOD, and Big Data) has been sucking up all the oxygen in security marketing, so compliance is suffocating. Compliance as the primary driver of security/risk is already effectively dead, but many people haven’t noticed yet. More to the point, certain classes of organizations are not sophisticated enough to realize what has happened.
That gets down to Paul’s use of the ‘M’ word: maturity. The problem is that the great unwashed are still in security/risk diapers, so they can’t see compliance as only one risk domain among many. Their list of audit deficiencies makes it the only domain they are aware of. But that’s okay – every organization needs to start somewhere, and checklists can be helpful for spurring action and establishing a very very low bar of protection.
Then as organizations climb the curve of security and risk maturity, they can and should “stop being a rule following and become a risk leader” as Paul suggests. That’s the goal.
Followers are buried in regulatory distraction that impedes their ability to innovate, perform, optimize and adapt their programs. Followers are busy covering their butts.
Leaders are able to map risk and security dependencies into desired business outcomes and report these risks into the appropriate decision makers. For example, a modern risk and security program can support mergers and acquisitions through proactive due diligence that guides actual integration decisions by non-IT decision makers. That’s influencing the business!
Actually, we’re all busy covering our butts – including leaders. The difference is that leaders proactively identify what will kill them, and tells non-IT decision-makers where they will be hit. And that may be enough to save them when the brown stuff hits the fan. Whereas followers never see it coming because it wasn’t on a checklist…
Photo credit: “Murder” originally uploaded by AJ Cann