Much of my time spent working is focused on performing technology assessments against some kind of baseline. Most of the time, these are specific government or industry standards like HIPAA, NIST, ISO and PCI. But when some of my clients reach out to me about evaluating their environment in light of these standards, it’s often done out of a feeling of obligation in which they are reacting to some kind of demand from whoever is overseeing their work.
I can tell you from personal experience that undergoing these kinds of reviews is not a lot of fun, so it’s not uncommon that management tends to avoid these kinds of assessments as long as possible. To some who will ultimately be responsible for the fallout in the event of a security or compliance failure, ignorance is bliss.
One of the things I try to do as part of my job is to change the perceptions and worries that are associated with compliance management. It takes real talk about risks and consequences of failure, but it also demands reassurance that while perhaps this will require some effort, proper compliance management is, well… manageable.