Compliance: The Danger to Security Performance of Just Going Through The Motions

George V. Hulme | June 4, 2014 | tag: Security Risk Management

Merely doing things out of habit can be a risky thing to do. Such as when we just go through the motions when completing tasks – tasks we do so many times that muscle memory or our subconscious take over and put us in autopilot.

Doing things by rote is great for some tasks, such as those that require little thought or swift reflexes. For instance, have you ever found yourself halfway through something and not be conscious of the time that passed and the steps you’ve taken to get there? It’s because you’ve done this task thousands of times before are don’t need to be conscious of each step.

The same thing happens when we rely too heavily on checklists. When we do the same thing over and over, and also lean on checklists without stepping back to think comprehensively about what we’re doing and why we’re doing it. In information security it’s often referred to as checkbox security. It’s not that checkboxes are inherently bad, when used properly they are powerful tools to ensure thoroughness. That’s not what we’re talking about here. 

Checkbox compliance is what appears to be happening when looking at the results from the most recent BitSight Insights, at least when it comes to the healthcare and retail sectors. In case you are not familiar with the report, BitSight analyzed the cyber security health of the Standard & Poor’s 500 stock index (S&P 500) in February 2014, and that analysis found that 82% of the companies in that index had a security compromise in 2013. As a follow-up, BitSight examined the security performance of -  finance, utilities, retail, and healthcare and pharmaceuticals – four critical industries. 

This analysis covered from April 1, 2013 through March 31, 2014. The results reveal a consistently poor showing throughout the year. In fact, the number of security events BitSight identified during the period increased 200% from April 2013 to March 2014, including numerous spambots and worm infections. 

To be sure, the news wasn’t all bad. Of the 31 retailers evaluated, 14 actually improved their security posture, with a median increase of 60 points. Unfortunately, 17 retailers also had their ratings drop 60 points. Healthcare is in a similar IT security funk. The healthcare sector saw the largest percentage increase in the number of security incidents observed, with average event duration being longer than any other industry: up to 5.3 days.

That is quite troubling considering how rapidly doctors and medical providers are opening up their systems and sharing data directly with patients. Compare that to the other industries analyzed:


Why is there such wide differential in performance between industries? Simply put some enterprises are better at tackling information security strategically, rather than tactically. They strive to align their security spend with their most important assets and sensitive customer information. They work to improve their security program over time. They measure what they’re doing, and improve on the areas that need improving.

During my interviews with security practitioners over the years, the dangerous checkbox mentality seeps out occasionally. They’ll speak about certain processes or actions occurring because it’s something they have to do to be compliant, rather than it actually provides security value. Sometimes they’ll actually say “We do this to make sure we check the box.”

Many of these same organizations fool themselves into thinking they’re meaningfully reducing risk, rather than just going through the motions. What they are really running, at worst is checkbox, or compliance programs – they are mechanically getting the things done on the list without giving much thought as to why. Unfortunately, while that pleases the auditors – it doesn’t do much to thwart adversaries.

Suggested Posts

The BitSight and Moody's Partnership: A New Era For Cybersecurity

Cybersecurity is one of the biggest threats to global commerce in the 21st century.

By providing data-driven insights into cybersecurity, we can empower the marketplace to make better, risk-informed decisions and create a more secure...


4 Critical Success Factors for Effective Security Risk Management

With the average cost of a data breach in the U.S. reaching nearly $8.6 million, your organization can’t afford to ignore cybersecurity risk. Indeed, the need for security risk management is greater than ever. When cyber risk is managed...


IoT Cybersecurity: How Your Organization Can Tame the Wild West

From sensors on the factory floor to those that guide autonomous vehicles, the Internet of Things (IoT) is transforming how we live and work. Over the coming years, IoT will continue to change our world, with the number of connected...


Get the Weekly Cybersecurity Newsletter.