In cybersecurity, there’s a strong resistance to the phrase “checking a box.” It comes up in meetings, project plans, compliance discussions, and audit prep. The phrase carries a lot of weight, but not in a good way.
The concern isn’t about completing a task. It’s about what happens when someone assumes that once a box is checked, the responsibility ends. That mindset is risky and can create blind spots, leaving organizations exposed.
Take a penetration test, for example. Many compliance frameworks require them, so the test gets done, the report filed, and the box checked. But if no one addresses the findings, it becomes a formality. The organization meets the requirement on paper, but nothing improves, and the risks remain.
In some cases, organizations opt for basic automated penetration tests that are scoped just enough to meet the requirement. However, a more comprehensive test with human involvement could uncover risks that a basic test might miss. The question then becomes: is the priority actual security, or just satisfying the compliance checkbox?
That same mindset shows up in other areas. An access review is submitted, but no one investigates unusual changes. Employees complete a training module, but risky behavior continues. In each case, the task is marked complete, but the outcome falls short.
The pushback on “checking a box” isn’t about being difficult. It’s about avoiding a false sense of completion. It is about addressing and reducing risk. It reflects an understanding that cybersecurity is dynamic. Threats evolve. Environments change. People move in and out of roles. Even completed tasks need to be revisited and reassessed. Some actions follow a regular cadence, like patching. Others can be prompted by change, like security reviews after new technology is introduced.
Checking a box isn’t the problem. A passive approach to doing so is.
To help translate this into action, we created the Cyber Do List, a simple resource that outlines essential daily, monthly, quarterly, and annual tasks to help organizations stay consistent and focused on what matters most. It is available for download here.
