Avoiding the Compliance Checkbox Mentality
When I asked her how she avoids the checkbox approach, she said she uses several teams, including penetration testers and cybersecurity analysts quite heavily, to get the most context and perspective possible. This is why she made sure to talk with me about my compliance comments.
She loved my presentation about the need for using red teams and blue teams properly because it reflected her need to have proper context and improvement metrics. She was especially interested in my observations about how these teams are context engines that allow organizations and their leaders to create more situational awareness. Even with all the wonderful security controls and technologies, such as security incident and event management (SIEMs), most organizations struggle to create good context and metrics.
Over the past couple of weeks, I’ve had the good fortune to talk a bit more with that compliance officer. I’ve also had some time to really think about what a good compliance officer can do, as long as they are properly empowered.
I’ve concluded that compliance, if done right, isn’t all that bad. In fact, it can be very, very beneficial, as long as you use your teams correctly. Most organizations, I’ve found, don’t quite have the operational maturity for that – such as proper segregation of duties, for example. Still others struggle to review the metrics they’ve already set. Most still don’t use their teams correctly as context engines that allow them to really understand their exposure to security threats. But, I am confident that, at least this health care organization has things pretty well in hand.
More Info: jobs for a+ certification
She loved my presentation about the need for using red teams and blue teams properly because it reflected her need to have proper context and improvement metrics. She was especially interested in my observations about how these teams are context engines that allow organizations and their leaders to create more situational awareness. Even with all the wonderful security controls and technologies, such as security incident and event management (SIEMs), most organizations struggle to create good context and metrics.
Over the past couple of weeks, I’ve had the good fortune to talk a bit more with that compliance officer. I’ve also had some time to really think about what a good compliance officer can do, as long as they are properly empowered.
I’ve concluded that compliance, if done right, isn’t all that bad. In fact, it can be very, very beneficial, as long as you use your teams correctly. Most organizations, I’ve found, don’t quite have the operational maturity for that – such as proper segregation of duties, for example. Still others struggle to review the metrics they’ve already set. Most still don’t use their teams correctly as context engines that allow them to really understand their exposure to security threats. But, I am confident that, at least this health care organization has things pretty well in hand.
More Info: jobs for a+ certification
Comments
Post a Comment