Compliance: The Danger to Security Performance of Just Going Through The Motions

Merely doing things out of habit can be a risky thing to do. Such as when we just go through the motions when completing tasks – tasks we do so many times that muscle memory or our subconscious take over and put us in autopilot.

Doing things by rote is great for some tasks, such as those that require little thought or swift reflexes. For instance, have you ever found yourself halfway through something and not be conscious of the time that passed and the steps you’ve taken to get there? It’s because you’ve done this task thousands of times before are don’t need to be conscious of each step.

The same thing happens when we rely too heavily on checklists. When we do the same thing over and over, and also lean on checklists without stepping back to think comprehensively about what we’re doing and why we’re doing it. In information security it’s often referred to as checkbox security. It’s not that checkboxes are inherently bad, when used properly they are powerful tools to ensure thoroughness. That’s not what we’re talking about here.

Checkbox compliance is what appears to be happening when looking at the results from the most recent BitSight Insights, at least when it comes to the healthcare and retail sectors. In case you are not familiar with the report, BitSight analyzed the cyber security health of the Standard & Poor’s 500 stock index (S&P 500) in February 2014, and that analysis found that 82% of the companies in that index had a security compromise in 2013. As a follow-up, BitSight examined the security performance of - finance, utilities, retail, and healthcare and pharmaceuticals – four critical industries.

This analysis covered from April 1, 2013 through March 31, 2014. The results reveal a consistently poor showing throughout the year. In fact, the number of security events BitSight identified during the period increased 200% from April 2013 to March 2014, including numerous spambots and worm infections.

To be sure, the news wasn’t all bad. Of the 31 retailers evaluated, 14 actually improved their security posture, with a median increase of 60 points. Unfortunately, 17 retailers also had their ratings drop 60 points. Healthcare is in a similar IT security funk. The healthcare sector saw the largest percentage increase in the number of security incidents observed, with average event duration being longer than any other industry: up to 5.3 days.

security ratings snapshot example

Request your free Security Rating Snapshot to find the gaps in your security program and how you compare to others in your industry.

Get Your Rating
Button Arrow

That is quite troubling considering how rapidly doctors and medical providers are opening up their systems and sharing data directly with patients. Compare that to the other industries analyzed:


Why is there such wide differential in performance between industries? Simply put some enterprises are better at tackling information security strategically, rather than tactically. They strive to align their security spend with their most important assets and sensitive customer information. They work to improve their security program over time. They measure what they’re doing, and improve on the areas that need improving.

During my interviews with security practitioners over the years, the dangerous checkbox mentality seeps out occasionally. They’ll speak about certain processes or actions occurring because it’s something they have to do to be compliant, rather than it actually provides security value. Sometimes they’ll actually say “We do this to make sure we check the box.”

Many of these same organizations fool themselves into thinking they’re meaningfully reducing risk, rather than just going through the motions. What they are really running, at worst is checkbox, or compliance programs – they are mechanically getting the things done on the list without giving much thought as to why. Unfortunately, while that pleases the auditors – it doesn’t do much to thwart adversaries.