(Editor's note: In this guest post, Vijay Basani, co-founder and CEO of security and compliance vendor EiQ Networks, outlines why passing an audit does little to truly secure assets from hackers.)
USA TODAY - Most organizations that have gone through a successful compliance audit are still susceptible to a security breach.
Management typically spends the bare minimum to get a passing grade from the auditor yet the expense drains real dollars out of drastically needed IT budgets and doesn't add to the bottom line. The Verizon 2013 Data Breach Investigations Report indicates most companies don't have sufficient IT resources to manage their tools and systems.
Compliance has conditioned the market to look at what is going through the IT infrastructure vs. what is going on inside of it. This approach inevitably results in a false sense of security and requires expensive tools and consultants to ensure all the boxes are checked according to the requirements. Meanwhile the bad actors continue find weak links to penetrate the IT network and steal valuable financial and customer data.
The 'checkbox' mentality places too much emphasis on Compliance over Risk Management, further dividing IT from other business divisions: Over one-third (36 percent) of information security professionals meet infrequently or never at all with business unit leaders to understand business objectives and information security needs
An effective way to improve IT security, meet compliance mandates, protect assets and build competitive advantage is to continuously monitor IT infrastructure and have in place the SANS 20 Critical Security Controls, a strategy for proactively identifying the most common security issues.
These controls have been in use by government agencies for years and help over worked and underappreciated security teams prioritize their work load on most critical issues . As a framework, SANS Controls are a superb alternative to checkbox: continuous auditing, assessment and monitoring of the environment exposing where potential issues are and how they should be remediated.
There is no compliance standard that will truly shield enterprises from the inevitable. If there's an opportunity for something to go wrong, it will and it will exponentially multiply. There is no such thing as 100 percent safety or compliance when it comes to enterprise security.
(Copyright © 2014 USA TODAY)