Compliance should no longer dominate CIOs’ decision making. Instead, it should be viewed as a risk, says Gartner. The research firm suggests compliance should be incorporated into risk management, rather than security being incorporated into compliance as most companies have been doing until now.
“By simply trying to keep up with individual compliance requirements, organizations become rule followers, rather than risk leaders". Compliance should be treated as a domain of risk within a formal risk management program and should not be allowed to dominate decision-making.
Compliance is treated as a legal or regulatory requirement which is evaluated based on predefined checkbox matrix. The common myth is organization feels doing so achieve Security within their functions. An organization needs to wider the boundaries and treat compliance as a risk in an overall strategy to effectively place security it's due importance.
In coming future, there will be transition drift from compliance-based to risk-based security.Compliance will be placed at a right position in CIO agenda but it won't be the only decision making a factor.