Companies with IT security strategies that focus mostly on complying with key standards are dangerously unprepared for emerging cyber threats, said security experts at the RSA Conference 2013 here this week.
Over the past few years, the security strategies of many companies and government agencies have centered around meeting the requirements of Sarbanes-Oxley, Health Information Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standards (PCI DSS), Federal Information Security Management Act (FISMA) and other government and industry standards.
Experts say that meeting such standards is important, but they should be used as baseline controls in a broader IT security strategy.
"The audit industry has become a monster," said Anup Ghosh, founder of security firm Invincea.
"Keeping those guys at bay" has become a full-time job in many IT security organizations, he said. "A lot of compliance regimens have been all about checking boxes and following processes."