Cartoon showing a man working on a clipboard with 'IT Security' written on it

Comment: Compliance for its own sake is a recipe for IT security failure

A box-ticking approach to cyber security can end up being little better than taking no measures at all, warns Chris Stoneff

Does your organisation take cyber security seriously? “Sure, we meet all the compliance regulations,” I hear thousands of voices chant in unison. Okay, so let me rephrase that, do you deploy IT security products purely to tick boxes and meet compliance regulations or because you are actually concerned about security? In a survey carried out last year at international security industry event RSA Conference, over 60 per cent of delegates admitted that they had deployed a security product purely to meet compliance regulations.

But being compliant doesn’t perforce mean being protected. There are no IT security products that can just be deployed seamlessly in an enterprise and forgotten about. For the time being we have to give our security products some TLC to get the maximum security potential (and some are needier than others).

What’s troubling is that almost 70 per cent of organisations don’t think they are getting the most from their security products because they are either too complicated, too time-consuming or need certain expertise. Out of these, over 70 per cent confess to knowing that their companies are at risk because they are not using the security products to their full potential.

Although there is much work to be done by suppliers, there are several things organisations can do now to reduce risk and use security products to their full potential.

First, pick carefully. Just like buying branded products in a supermarket as opposed to their identical supermarket own-brand counterparts, too many businesses get sucked in by the biggest brand names in security with little regard for what they actually need.

You can narrow it down by asking a few key questions before you commit to a new product. Do you have existing IT security knowledge or will you have to hire someone? Can you deploy the product in-house or will a managed service make more sense? What is the support like? Is training offered by the manufacturer or reseller? Is the supplier sufficiently responsive to your communications? If the vendor isn’t brilliant at the start when trying to make the sale, then there’s no hope when it comes to support later on.

Along with the security product, you should always be given training, regardless of whether it is sold directly from the manufacturer or through other channels. Spend a good amount of time learning the product when you first install it and then review and refresh monthly or quarterly, as needed. After all, if you’re not using the product correctly, you might as well not have it at all. Some 16 per cent of survey respondents said their security products were too time-consuming, which prevented them from taking advantage of their full potential. Yes, it is time-consuming, but in the long run it will save you time, money and perhaps even your business.

The main driver for a lot of organisations when searching for security products is meeting compliance regulations. But that’s not enough. Globally, the UK comes second after the US for number of data breaches. And at one point or another, each of these companies were probably compliant, even at the time of the breach. However, many would have forgotten about compliance shortly after installing the product, defeating the point in the first place. Compliance should be continuous, not a one-time event. Fortunately, some products make compliance easier to maintain than others, so do your homework.

Undoubtedly, it is great that organisations are thinking about compliance; however, we need more emphasis on the actual security. A security product will fail if it is not implemented and maintained correctly, so every penny and minute that goes into choosing and maintaining the right product is worth it. If a company is breached it won’t be their security product’s name that gets dragged through the mud, it’ll be theirs. So repeat after me: “no compliance for compliance’s sake”.

Chris Stoneff is VP technical management with Lieberman Software Corporation (

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles