Welcome to The UltraTech Zone Sign in | Join | Help

Talking Out Loud with ASB

Views on Life, Technology and Everything, by ASB (aka Logik!)...

My Profile

Andrew S. Baker (ASB)


  • Platform: CS v2.1 SP2...

    Get a FREE phishing filter for your domain!

    Who links to my website?

    Pando Pro

The Compliance Trap

The more things change, the more they remain the same.

Almost exactly two years ago, I posted an article about the general organizational obsession with regulatory (or industry) compliance, at the expense of proper information security.  Just today, I read an article on the CIOzone that asks: Does PCI Compliance Work?

The point being made in this article is a very valid one, and one that bears repeating:  The PCI DSS standard is merely a *baseline* that can help organizations identify and mitigate specific information security risks to their business, but it is not the final answer on information security in an enterprise.

If your focus is simply on attaining compliance, you are likely to end up with compliance to the letter of the law without a corresponding adherence to the spirit of the regulations.  In short, you will undermine your ultimate goal of risk mitigation, and you’ll likely spend a lot of money doing so.

In the long-run, the costs for doing the very least that can be done to achieve compliance are far greater than the costs incurred by properly implementing a comprehensive information security and risk management program. Consider just a few of the following ways that minimal compliance can cost an organization:

  • Changes to existing compliance regulations will generate new technology costs
  • Becoming subject to a new compliance regulation will generates new technology costs
  • Minimal compliance does not necessarily improve security, thus such organizations can expect to experience more breaches which result in hard costs (fines, consumer notification, and issue remediation) and soft costs (lost consumer confidence)

Let’s get something else straight: Neither compliance nor a good security program can guarantee that an organization will not be breached. Prevention cannot be guaranteed, especially when it comes to complex organizations with elaborate customer and partner interaction.  What a good security program does is mitigate risk – limit exposure, narrow the scope of attack, allow faster identification, enhance recovery time, and help to track the infiltration back to the source.

Security professionals need to constantly manage expectations that their senior managers have after spending x-thousands of dollars/euro to implement a security program. (And we’re not even going to mention that security is much more than technology – it is about people and process). Mitigate is not the same as eliminate. This simply cannot be overstated.

The bottom line is that companies that take Information Security seriously will be able to address industry or regulatory compliance more easily and more effectively than those which just focus on addressing the compliance checklist – whatever that checklist happens to contain today.

Hopefully, I’ll see a difference in approach in use by most organization two years from now, so that I won’t have to sing the same, sad song.  Again.

Share Post:
Posted: Thursday, March 12, 2009 4:47 PM by Logik!


Talking Out Loud with ASB said:

It has been a busy month or so for information security.  Apple has patched a vulnerability that

# April 15, 2010 8:11 AM
Anonymous comments are disabled

About Logik!

Andrew S. Baker aka ASB aka Logik!

Andrew S. Baker is a business-savvy, hands-on IT leader with expertise in mentoring people, mitigating risk, and integrating technology to drive innovation and maximize business results. He creates competitive advantage for organizations through effective IT leadership: implementation of processes and controls, and architecture of robust business solutions.

Mr. Baker has successfully led a number of high-performance technology teams in designing, deploying and maintaining secure, cost-effective computing environments for well-known companies, including Warner Music Group, The Princeton Review, Bear Stearns, About.com, and Lewco Securities.

For over a decade, Andrew has exhibited thought leadership on technology and business topics via mailing lists, technical forums, blogs, and professional networking groups, along with contributions to podcasts, webinars, and over 20 technical/business magazine articles. He also serves on several boards and committees for non-profit organizations, and within the Seventh-day Adventist church.

His personal interests include Astronomy, Basketball, Bible Study, Chess, Comics, Computers, Family Life Ministries, Reading, Strategy/Role Playing games, and Professional Networking...

A summary of Andrew's current résumé is available here, and he can be reached on a variety of social and professional networks, including LinkedIn, Facebook and Twitter.