Thinking outside the IT audit (check)box

[InfoSec News <alerts () infosecnews org>]

http://www.csoonline.com/article/741757/thinking-outside-the-it-audit-check-box

By George V. Hulme
CSO Online
October 21, 2013

After years of security teams reaching into the regulatory compliance 
budget bucket to find the funding they need for their security efforts, 
some organizations are noticing that while it won short-term capital, the 
practice has come back to haunt them in the long run. And while it does 
sound cliche to hear that compliance does not equal security, many 
enterprises are taking steps to make sure their focus is on building 
resilient IT and not merely on passing an audit.

A recent report from the IT expert professional community Wisegate, Moving
> From Compliance to Risk-Based Security, found that the top driver for
implementing a risk management program is to meet regulatory compliance 
requirements. Fewer than half of respondents cited the general threat 
landscape or an interest in getting in front of attackers.

That troubling attitude could explain why so many organizations remain in 
firefighting mode—jumping from one breach or security emergency to the 
next without any chance of getting in front of the risk.

While it can certainly be argued, and strongly so, that security wasn't 
taken seriously in the days prior to regulatory mandates such as 
Sarbanes-Oxley, PCI DSS, and the myriad other regulations and data breach 
disclosure laws that followed, it's also certainly tougher to make the 
strong case that, long term, organizations are better off today for their 
efforts. Disappointingly, many organizations are doing only the minimum of 
what needs to be done in order to pass the next audit and to be able to 
show management that their IT systems are compliant.

[...]

--
Find the best InfoSec talent without breaking your
recruiting budget! Post a Job, $99 for 31 days.
Hot InfoSec Jobs - http://www.hotinfosecjobs.com/