The Compliance Trap
The more things change, the more they remain the same.
Almost exactly two years ago, I posted an article about the general organizational obsession with regulatory (or industry) compliance, at the expense of proper information security. Just today, I read an article on the CIOzone that asks: Does PCI Compliance Work?
The point being made in this article is a very valid one, and one that bears repeating: The PCI DSS standard is merely a *baseline* that can help organizations identify and mitigate specific information security risks to their business, but it is not the final answer on information security in an enterprise.
If your focus is simply on attaining compliance, you are likely to end up with compliance to the letter of the law without a corresponding adherence to the spirit of the regulations. In short, you will undermine your ultimate goal of risk mitigation, and you’ll likely spend a lot of money doing so.
In the long-run, the costs for doing the very least that can be done to achieve compliance are far greater than the costs incurred by properly implementing a comprehensive information security and risk management program. Consider just a few of the following ways that minimal compliance can cost an organization:
- Changes to existing compliance regulations will generate new technology costs
- Becoming subject to a new compliance regulation will generates new technology costs
- Minimal compliance does not necessarily improve security, thus such organizations can expect to experience more breaches which result in hard costs (fines, consumer notification, and issue remediation) and soft costs (lost consumer confidence)
Let’s get something else straight: Neither compliance nor a good security program can guarantee that an organization will not be breached. Prevention cannot be guaranteed, especially when it comes to complex organizations with elaborate customer and partner interaction. What a good security program does is mitigate risk – limit exposure, narrow the scope of attack, allow faster identification, enhance recovery time, and help to track the infiltration back to the source.
Security professionals need to constantly manage expectations that their senior managers have after spending x-thousands of dollars/euro to implement a security program. (And we’re not even going to mention that security is much more than technology – it is about people and process). Mitigate is not the same as eliminate. This simply cannot be overstated.
The bottom line is that companies that take Information Security seriously will be able to address industry or regulatory compliance more easily and more effectively than those which just focus on addressing the compliance checklist – whatever that checklist happens to contain today.
Hopefully, I’ll see a difference in approach in use by most organization two years from now, so that I won’t have to sing the same, sad song. Again.