×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Compliance Is Wasted Money, Study Finds

Soulskill posted about 4 years ago | from the missing-the-point dept.

Security 196

Trailrunner7 writes "Enterprises are spending huge amounts of money on compliance programs related to PCI-DSS, HIPAA and other regulations, but those funds may be misdirected in light of the priorities of most information security programs, a new study has found. A paper by Forrester Research, commissioned by Microsoft and RSA, the security division of EMC, found that even though corporate intellectual property comprises 62 percent of a given company's data assets, most of the focus of their security programs is on compliance with various regulations. The study found that enterprise security managers know what their companies' true data assets are, but find that their security programs are driven mainly by compliance, rather than protection (PDF)."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

196 comments

Naturally... (4, Insightful)

russotto (537200) | about 4 years ago | (#31739964)

Screw up with your customers data, and the worst that happens is you get a PR black eye, or you lose money. Don't follow regulations and unless you've got a Congressman in your pocket, you can go to jail.

Re:Naturally... (1)

sorak (246725) | about 4 years ago | (#31740812)

Screw up with your customers data, and the worst that happens is you get a PR black eye, or you lose money. Don't follow regulations and unless you've got a Congressman in your pocket, you can go to jail.

Agreed. What statistics should they be showing to make "obey the law" a priority? And what part of this summary shows that it is currently too much of one?

Re:Naturally... (1)

Z00L00K (682162) | about 4 years ago | (#31740820)

All too true - screw up the Sarbanes-Oxley act and you will be thrown with some interesting instruments up your rear end.

And if you screw up some decree by DHS or any other department with three letter acronyms you will get roasted slowly over a pit and then thrown to the polar bears. If you have a congress man or senator handy you may be able to avoid the polar bears but you may also have company instead when you visit them.

And people wonders why so few startups are going on that may produce new jobs. It's that swamp of regulations that is equally wide and deep regardless of how large you are. But if you are big you can take it in two strides while if you are small it may take you two hundred strides.

Re:Naturally... (3, Interesting)

MillionthMonkey (240664) | about 4 years ago | (#31741020)

And people wonders why so few startups are going on that may produce new jobs.

I've been to several startups in the past year that exist solely for compliance purposes. They'll have only a few customers, all large corporations. Typically they'll come up with some little scheme like building physical "appliances" that clients plug in to their internal network and voila all this stupid traffic is being logged and kept on record and emails are flying out to customers a mile a minute. On average these outfits hire a couple dozen people. Very dull jobs but they pay well.

Process/Objective Inversion (5, Insightful)

Citizen of Earth (569446) | about 4 years ago | (#31739994)

The purpose of the 'process' is to serve the 'objective'. When serving the process becomes the objective, you're boned.

Re:Process/Objective Inversion (5, Insightful)

Daniel Dvorkin (106857) | about 4 years ago | (#31740258)

There are two different objectives here, with (at least) two different processes. The first of these objectives is securing corporate assets. The second is securing sensitive individual information about people with whom the corporation does business. Security processes should ideally serve both objectives, but if that's impossible, then one process (or set of processes) has to be given prioroty over the other. As a customer of, say, Amex or Cigna, I care a whole hell of a lot more about the second objective than the first, so it doesn't displease me at all that the processes related to that objective are well-funded.

Re:Process/Objective Inversion (1)

Hognoxious (631665) | about 4 years ago | (#31740414)

Not true. A well designed process could serve both objectives - if they're mutually exclusive then explain how - but frequently what passes for designing a process is actually an exercise in box ticking that over time can become a process in itself.

Re:Process/Objective Inversion (1)

StillNeedMoreCoffee (123989) | about 4 years ago | (#31741000)

But there are two different objectives, one is fostering the corporate profits and the other is public safety. As much as we decry regulations what would it be like if there were no traffic lights or stop signs, or even worse, there were but people did not pay attention to them. The stop lights do a tremendous lot of good , they reduce moving accidents to close to zero while allowing cars to speed along through light after light, when things are timed well, without stopping, maintaining a even speed. That saves time, saves gas, increases throughput of the entire system. We see other types of regulations like that in computers where I/O is given precedence so it can get its work started and leave and let the CPU tasks continue. The throughput of the entire system is increased.

It is true in subtle but powerful ways with security regulations, and the Internet especially. If people can't trust that their data will be safe (cant trust that someone who has the red light is going to stop) then they will not give their data out, they won't do commerce online. They won't trust their credit card company to be safe and secure and will start using cash and checks again. Commerce can not continue and certainly not at an efficient pace when trust is not present. So the regulations to protect user data establishes a trust playing field that, while a great pain in the ass to comply with, is essential for business. The alternative is too horrible to contemplate. As for the other, the corporation protecting their data, thats up to the corporation and there is little or no community interest nor control that would make sense. Corporations and businesses would find that more than onerous.

So the real issue here is that the article states that the study feels that compliance is not worth the money. That is selfish business talking. All you have to look at are the recent very large thefts of peoples identities or the corporate malfeasance that have come to light that has had dramatic and real negative monetary impact on millions of people to tell us that this view is selfish and short sighted. It does not value the social value of compliance as it should but then many businesses have a much more narrow self interest in mind for where they want to put their monies. Thats why we have regulations with compliance, they don't do it on their own and we all have suffered already for that.

Re:Process/Objective Inversion (0)

Anonymous Coward | about 4 years ago | (#31741352)

I agree wholeheartedly, except that I don't think "the alternative is too horrible to contemplate" if the alternative is "We will no longer be able to buy crap we don't need using money we don't have to impress people we don't like (at least online) using credit cards."

I am one of those strange folk who would pay extra for that sort of thing... and I work for the internet arm of a large retail establishment!

Re:Process/Objective Inversion (1)

StillNeedMoreCoffee (123989) | about 4 years ago | (#31742038)

The unthinkable alternative is loosing your identity and cash to a thief who would have been stopped by compliance or your car tboned by a semi at an intersection because he just did not want to comply. Or you end up in jail because someone stole your identity and stole items and you are framed for it. Then there is the economic collapse that could occur. We saw this recently with the derivatives market tanking the economy. We did not regulate those bastards. Why comply I'm making money, oops your life is ruined, who knew? I will just retire with my winnings (your money) to my gated community.

When the process becomes the objective... (1)

weston (16146) | about 4 years ago | (#31740660)

When serving the process becomes the objective, you're... ... just following "Best Practices," right?

It's really not that some things that end up in the conceptual bin labeled "Best Practices" are bad ideas. But there are two classes of people who are following/implementing them: those who understand the principles that gave rise to the rules, and those who don't. Becoming part of the former group generally takes a significant up-front investment. Becoming part of the later group doesn't. Meanwhile, the benefits of wielding recommended practices and rules/regulations are more or less the same for both groups; the extra benefits of really understanding the principles are marginal (except for the occasional entrepreneurs who might be genuinely trying to compete with established players on efficiency). Particularly if your relationship with the company you work for falls between careerist and sociopathic, you have no real incentives to understand principles behind any distilled rule. Wrote recommendation and compliance is enough.

If you want regulation that works, rather than specifying some cargo-cult set of instructions for "compliance," you have to figure out what your real goal is, reward its genuine achievement, and make it really hurt (if at all possible) when there's a failure.

Well... (2, Interesting)

Pojut (1027544) | about 4 years ago | (#31740008)

...considering we are a pharmaceutical call center, we pretty much have to invest heavily in HIPAA security.

wasted? (3, Insightful)

Lord Ender (156273) | about 4 years ago | (#31740032)

If you aren't compliant, you won't be able to sell certain services or take on certain customers. Being compliant is certainly not a waste from a business standpoint.

Re:wasted? (3, Insightful)

CrimsonAvenger (580665) | about 4 years ago | (#31740198)

If you aren't compliant, you won't be able to sell certain services or take on certain customers. Being compliant is certainly not a waste from a business standpoint.

Note that if the Feds required that all of your marketing department drive Rolls-Royces, then what you said would still be true.

It would even be true if the Feds required that any software guy had to wear a clown suit to work.

Neither of these things is at all relevant to your business, however. And the point of the article is that much of the (unnecessary) compliance requirements of various Federal laws are about as important as my two examples.

Re:wasted? (3, Informative)

Jah-Wren Ryel (80510) | about 4 years ago | (#31740280)

FWIW - PCI-DSS is a requirement of Visa, Mastercard, et al. Not the feds.
It is an acronym for "Payment Card Industry Data Security Standard."

Re:wasted? (1)

Hognoxious (631665) | about 4 years ago | (#31740530)

Irrelevant - it's still an economic loss if it doesn't really add value[1] to the product or service being delivered.

Lead lifejackets sink, regardless of whether they're ISO 9001 certified or not, and regardless of who requires that certification.

[1] strictly, add more value than it costs

Re:wasted? (1)

idontgno (624372) | about 4 years ago | (#31740636)

OTOH, if your cruise line gets more bookings because you can advertise your ISO 9001 certified life jackets, it's quite possibly a business win. And if a passenger complains about the weight, you can make up some crap about shielding ("for your health") and cosmic rays.

In other words "add value" actually means "add perceived value". The difference? Marketing.

Re:wasted? (1)

bearsinthesea (1619663) | about 4 years ago | (#31741774)

An economic loss to who? In the past, some merchants have not had firewalls and sent cardholder data over FTP on the Internet, because it was 'too expensive' to do otherwise.

PCI may be a loss for the merchant (cost of doing business), but an overall gain if it prevents loss to the card brands or consumers.

Re:wasted? (3, Insightful)

Lunix Nutcase (1092239) | about 4 years ago | (#31740292)

So you think that the feds requiring people to protect your health records, for example, is a waste? Would you really rather go back to a time when the same companies didn't care? Sure these compliance laws are usually flawed in many ways, but since this holds the companies accountable for a minimum of data security at least they will do something whereas they would normally do nothing.

Re:wasted? (2, Insightful)

Jah-Wren Ryel (80510) | about 4 years ago | (#31740424)

Would you really rather go back to a time when the same companies didn't care?

I think I would because I would like to see the follow-on effects. I believe that most of HIPPA is smoke & mirrors, that violations are rampant and the requirements full of loopholes thus it gives a false sense of security to the public. I would rather the public be made acutely aware of the risks and that instead of just trusting that the law will protect the public, that we start relying on other mechanisms, like minimizing the data we give to health care companies and allow them to keep. It's a lot simpler to avoid disclosing data you don't have than it is to build up a wall of fallible procedures around the data instead.

Re:wasted? (1)

clang_jangle (975789) | about 4 years ago | (#31740906)

Yeah, free market all the way, baby -- I mean, look what getting rid of regulation did for our banking choices!

Oh, wait...

Re:wasted? (1)

Jah-Wren Ryel (80510) | about 4 years ago | (#31741238)

Yeah, free market all the way, baby -- I mean, look what getting rid of regulation did for our banking choices!

You seem to misunderstand my point. The current situation with respect to HIPAA is more akin to regulatory capture than it is to actual regulation. Same thing with the result of the CDO fiasco and follow-on failures in banking - if the banks had not so effectively captured their own regulatory agencies and the entire government beyond them, we probably wouldn't have seen so many people willing to 'risk' all that money in the first place, and we definitely would not have seen the massive bailout that followed.

The idea being here that bank industry's excessive risk taking was enabled by the acceptance of that risk by the government. Similarly, the risk taking that public does with their own private health information is enabled by their belief that the risk has being shouldered by the government via regulations. The big difference being that the banks are able to force the government to take on the consequences of that risk, we regular people are not.

Re:wasted? (5, Insightful)

peragrin (659227) | about 4 years ago | (#31741122)

And that is why your delusions is worse. without HIPPA companies weren't held responsible because it was always some other companies fault. Every company could plead it wasn't us because there was no way to track who was actually responsible.

There is a reason greed is a deadly sin among some religions. Let's try this another way. dec. of 2006 Circuit city BOD executives noticing a small drop in sales and in need of their bonus checks, fired their top 3000 sales earners. the top 3000 who the company paid the most in salary that weren't managers. But who also accounted for the majority of their sales. They paid themselves tens of millions of dollars in bonuses. By July 2007 Sales were a third of what they should be and by dec. 2007 most stores were closing up as the whole company was bankrupt.

That same kind of executive thinking is found in the majority of CEO's. read http://money.cnn.com/galleries/2010/news/1004/gallery.top_ceo_pay/index.html?source=cnn_bin&hpt=Sbin [cnn.com] over half the people on this list have gotten major bonuses yet are still posting losses for the same year. Do you want that kind of thinking to have total but deniable control over your health? that is life without HIPPA.

Just remember the vast majority of laws are there because someone abused something to the detriment of many. The law may not be perfect but having it is better than the alternative.

Re:wasted? (1)

Jah-Wren Ryel (80510) | about 4 years ago | (#31741358)

And that is why your delusions is worse.

What do you mean by "that?" My belief that if people weren't mislead into trusting corporations that they would be less cooperative? Or that HIPPA is minimally effective? Or something else that you've projected on to my writings that I didn't say?

Just remember the vast majority of laws are there because someone abused something to the detriment of many. The law may not be perfect but having it is better than the alternative.

I don't agree that laws which are the equivalent of "doing something, anything, just do something!!" are better than encouraging people to think critically about their own risk exposure.

Certainly the case of "The War On Drugs" is a behemoth of a counter example to your claim - look at Portugal for example, 100% legalization since 2001, even meth and cocaine and the result? Less % of the Portuguese have used marijuana than % of Americans who have used cocaine and no incarceration bills versus 30%+ of US inmates serving time for non-violent drug offenses.

Re:wasted? (1)

Gerzel (240421) | about 4 years ago | (#31740678)

Go back in time? Many companies don't care now. In general the larger the company the less they care.

Re:wasted? (1)

e2d2 (115622) | about 4 years ago | (#31741084)

Yeah no doubt. Can you imagine how quickly your health records would make it to the data exchanges they use now to trade personal information? Facebook would wet it's pants. I see you suffer from migraines so you should friend Bayer Aspirin!

Re:wasted? (3, Insightful)

WalkingBear (555474) | about 4 years ago | (#31741212)

Federal requirements to protect health records, financial data, personal information, etc.. are great things. Federal requirements that say "unlawful disclosure of X information will result in Y penalties" is definitely a good thing. Federal requirements stating *HOW* every business within an industry or even across all industries perform a function are outdated at best, counter-productive at worst, before the ink's dry on the legislation.

Re:wasted? (1)

pclminion (145572) | about 4 years ago | (#31741416)

So you think that the feds requiring people to protect your health records, for example, is a waste?

I would rather that my health records are ACTUALLY protected, rather than companies simply complying with regulations which may, or may not, actually protect my health records. The point here is that a lot of resources are being expended in order to comply with regulations. Insofar as complying with regulations actually protects my data, I'm fine with that. But do the regulations actually make anything more secure? Given the government's track record in these areas, I doubt it.

So yes, I think it's a waste that the government forces corporations to spend a shit ton of money doing things that don't actually help me, instead of spending that money actually securing my data.

Re:wasted? (1)

Daniel Dvorkin (106857) | about 4 years ago | (#31740394)

We the People have decided that certain types of compliance are relevant to certain businesses. If you don't like it, lobby to change the laws. You probably won't have a whole lot of luck convincing people that protecting personal medical data is in the same class as some absurd requirement like "wear a clown suit to work," though.

Re:wasted? (0)

Anonymous Coward | about 4 years ago | (#31740422)

The Summary (I didn't read the story, of course), implies that following the regulations doesn't help protect the company's assets. That's good. If the regulations protected the company's assets, you wouldn't need regulations, the company would protect their assets out of self-interest. These regulations are to force companies to protect things they have little financial interest in protecting, but society has an interest in them protecting.

Re:wasted? (2, Insightful)

Gerzel (240421) | about 4 years ago | (#31740612)

Neither is having a good fire escape strictly relevant to manufacturing shirt-waists, but it is still necessary for a good reason.

You have to look at why the compliance regulations are there and not if the regulations themselves have anything to do with the business.

The process is part of the goal in order to make sure things get done and done correctly. While yes many can indeed do things correctly outside of the process and many more might be able to muddle through the process is a form of insurance paid in extra time and labor to make sure things get done right.

Re:wasted? (0, Flamebait)

ffreeloader (1105115) | about 4 years ago | (#31740850)

Government regulations drive up costs, lower profits, and thus cut job creation? Who would have thought it....

Re:wasted? (1)

DragonWriter (970822) | about 4 years ago | (#31742110)

Note that if the Feds required that all of your marketing department drive Rolls-Royces, then what you said would still be true.

It would even be true if the Feds required that any software guy had to wear a clown suit to work.

Neither of these things is at all relevant to your business, however.

If the consequence of violating the federal requirements is large fines, throwing your noncompliant employees in prison, and prohibiting you from operating in your current line of business, then they all would be directly relevant to your business.

If there aren't any consequences for violating the requirements, then, sure, they aren't relevant to your business. And, in that case, I bet you'd find not a lot of money would get spent on compliance, either.

Re:wasted? (4, Informative)

Jer (18391) | about 4 years ago | (#31740314)

The title of the Slashdot summary is unsurprisingly misleading and inflammatory. Reading TFA it doesn't suggest that money going into compliance is "wasted" - it suggests that companies aren't spending enough money to protect their own IP from corporate thieves.

IOW - the article suggests that companies are spending the same amount of money to protect so-called "custodial" data (i.e. information they've collected about their employees and customers that are protected by HIPAA and other statutes) and their own IP. But the financial losses from losing their own IP are substantially higher than the losses they'll incur through leakage of "custodial" data, so they actually should be spending more money protecting custodial data than they spend on protecting custodial data.

The underlying assumption in the article is that, unless you've implemented your compliance stupidly, you actually can't fix this disparity by spending less money. You can't cut your budget on compliance because it's required by statute. So instead you should be spending more money on protecting IP assets so that the ratios more realistically reflect the importance of the data being protected. Money that Microsoft and RSA, the funders of the study, are happy to take to help you implement solutions to protect your oh-so-valuable IP assets.

Re:wasted? (0)

Anonymous Coward | about 4 years ago | (#31740764)

The underlying assumption in the article is that, unless you've implemented your compliance stupidly, you actually can't fix this disparity by spending less money. You can't cut your budget on compliance because it's required by statute. So instead you should be spending more money on protecting IP assets so that the ratios more realistically reflect the importance of the data being protected.

That doesn't make any logical sense. You are comparing mandatory cost A to non-mandatory cost B, and then arguing that because B is twice as important, and you can't change A, you should adjust B until the ratio looks right?

Maybe the ratio is out of whack because you are required to spend more on A than its importance warrants.

Re:wasted? (1)

cheesewire (876598) | about 4 years ago | (#31741062)

Being compliant is certainly not a waste from a business standpoint

That's the point, the companies making the software in TFA are all about compliance. As are their customers.

The problem is that the customers see the software as being effective because of the compliance cited (apparently even in the face of high rates of "failure"). On the flipside the software companies are focusing on being compliant to more extent than making effective software. Probably fueled by having customers who focus on their purchases being compliant.

Cue a vicious circle. And the whole process becoming a huge waste, despite it apparently being all well and good from a business standpoint.

Driven mainly by the law (0)

Anonymous Coward | about 4 years ago | (#31740042)

I suspect they are being driven by the regulations they are forced to comply with. They can't decide to play by their own rules.

So you're saying (5, Insightful)

compucomp2 (1776668) | about 4 years ago | (#31740088)

If there were no regulations and standards, then all the money would be funneled into actual security protocols?

Doesn't seem like that would be the case, especially since they are now just "going through the motions" to ensure compliance with regulations. The companies may well ignore data security altogether. By complying with regulations there is at least some level of security.

It's like the teachers' complaint that standardized tests force them to "teach to the test", well at least they're teaching something rather than nothing, which was the point of the test in the first place.

Re:So you're saying (0)

Anonymous Coward | about 4 years ago | (#31741508)

The astute teacher will note that this means there's a more severe problem (teachers who aren't teaching) and if the "solution" is to introduce something that prevents both groups from doing anything but preparing kids for the test, then I wouldn't call that a success. If your goal is just to make it look like you're doing something, then I guess you'd call that a success, but for those of us who care about the next generation, it's a failure of biblical proportions.

The US Government: If it ain't broke, fix it til it is!

Wow, way to miss the point. (3, Insightful)

Daniel Dvorkin (106857) | about 4 years ago | (#31740098)

If a company's IP is insecure, it may, possibly, lose some money. If data which falls under regulation is insecure, people go to prison. This is exactly as it should be, and so the "imbalance" is entirely appropriate.

I suppose the folks at Forrester Research think that IP protection is more important than protecting, say, personal medical information. Fortunately, most people in the world are sane enough to disagree.

Re:Wow, way to miss the point. (3, Insightful)

Attila Dimedici (1036002) | about 4 years ago | (#31740344)

If a company's IP is insecure, it may, possibly, lose some money. If data which falls under regulation is insecure, people go to prison. This is exactly as it should be, and so the "imbalance" is entirely appropriate.

I suppose the folks at Forrester Research think that IP protection is more important than protecting, say, personal medical information. Fortunately, most people in the world are sane enough to disagree.

An important correction: if data which falls under regulation is not kept according to the regulation people go to prison. If following the regulation decreases the security of the data, no problem.

Re:Wow, way to miss the point. (2, Insightful)

Daniel Dvorkin (106857) | about 4 years ago | (#31740504)

An important correction: if data which falls under regulation is not kept according to the regulation people go to prison. If following the regulation decreases the security of the data, no problem.

Fair enough, and if you can show that following HIPAA regulations makes personal medical data less secure, go for it. But the article doesn't address this point at all. They're talking solely about the relative value of corporate IP vs. data such as medical and credit information which is covered by regulation, and making the (absurd, to most people with a brain) argument that because the first is more valuable to the corporation than the second, corporations should spend their security dollars accordingly. In the absence of regulation, of course, this is exactly what would happen; the laws which specify harsh penalties for non-compliance are an entirely appropriate correction to this tendency.

Re:Wow, way to miss the point. (1)

Hijacked Public (999535) | about 4 years ago | (#31740632)

Who has gone to prison (in the US) for not securing data, pre the standards being discussed in the article?

Re:Wow, way to miss the point. (2, Insightful)

Daniel Dvorkin (106857) | about 4 years ago | (#31740766)

Who has gone to prison (in the US) for not securing data, pre the standards being discussed in the article?

Before the standards were in place? Nobody, of course. Which is why the standards were put in place!

If you think the standards are unrealistic, or don't achieve their objectives, or could be implemented better ... fine, those are all valid points. But TFA doesn't address that at all. The point of HIPAA, PCI-DSS et al. is to ensure that corporations which deal with sensitive personal data take appropriate care with that data. Apparently some people in the exceutive suite are whining that they have to spend too much money protecting other people's information, because even though having the data is absolutely necessary to running their business, protecting it takes too much time and money. Well, cry me a river.

Re:Wow, way to miss the point. (1)

Hijacked Public (999535) | about 4 years ago | (#31740986)

No, since the standards were put in place, obviously. There have been some fairly extensive violations. Some companies have violated HIPAA multiple times. Who has gone to jail?

Re:Wow, way to miss the point. (0)

Anonymous Coward | about 4 years ago | (#31741398)

No, since the standards were put in place, obviously

pre and per are so close together yet so far in meaning...

Re:Wow, way to miss the point. (1)

Beryllium Sphere(tm) (193358) | about 4 years ago | (#31741094)

PCI is a contractual thing rather than a criminal law, and unless I'm unusually badly mistaken the criminal penalties of HIPAA only come up for deliberate breaches (e.g. selling Tiger Woods's STD report to the National Enquirer, as opposed to being careless with infosec).

Re:Wow, way to miss the point. (0)

Anonymous Coward | about 4 years ago | (#31740828)

If the company's IP is insecure there's a very good chance the company will be put out of business by a competitor, so starving IP protection to comply with regulations is probably worse for the company than seeing a few employees go to jail.

But the important point in all of this is that both IP protection and reg compliance cost a lot of money. HIPPA is costing health care consumers in the US billions of dollars; whether that's money well spent or not, it's money that's being spent.

Re:Wow, way to miss the point. (1)

BitZtream (692029) | about 4 years ago | (#31741150)

Well, for all intents and purposes Forrester Research is just another Microsoft marketing division, so I'd say your statement was probably spot on.

Re:Wow, way to miss the point. (1)

Red Flayer (890720) | about 4 years ago | (#31741166)

I suppose the folks at Forrester Research think that IP protection is more important than protecting, say, personal medical information.

We can't make that supposition based on this paper.

What we can suppose is that the people at Forrester Research think that getting paid to write white papers is more important than what they personally think. :)

That's my view on Forrester, Gartner, etc.

"waste"? (0)

Anonymous Coward | about 4 years ago | (#31740106)

Having been deeply involved in HIPAA privacy protection for a large, monocolor insurance company in the state that hosts the NCAA men's basketball team with the greatest momentum I can state that the company's customers would likely not consider the investment a waste. I think this looks like Microsoft and RSA have asked Forrester for some product and service marketing help. Not that corporate IP is not important, for many companies the expenditure does not mean much of a financial payback.

Well That Makes Sense (4, Insightful)

TheNinjaroach (878876) | about 4 years ago | (#31740138)

Regulations are in place to force companies to protect data that they would otherwise have very little incentive to protect. Protecting data that is important to the company itself comes naturally and does not require mandates.

Re:Well That Makes Sense (2, Informative)

guruevi (827432) | about 4 years ago | (#31740516)

The main problem with most compliance protocols (HIPAA or PCI) is that at best they do nothing at all, at worst it's actually counterproductive as it opens the company up to more breaches (due to human nature, laziness or conflicting policies).

I am involved in both HIPAA and PCI compliance and in the past I have been involved with Sarbanes-Oxley as well. For example with PCI as well as Federal wiretapping compliance, you need to have your respectively wireless and public networks (if you're a de-facto wireless internet provider to random strangers - eg. libraries, universities, ...) run through a separate (3rd party) provider and needs to be either logically or physically divided from the main network. Therefore, anyone on your public or wireless network will have to tunnel a VPN through a 3rd party provider, route it out to the internet and back into your primary provider to get work done which makes the whole system inherently less secure because your data goes outside your network.

PCI requires a firewall before your internet facing servers but also a perimeter firewall (if you have a really large institution) before all your edges even though you may have separate departmental firewalls. This does not make sense as you get to have 2 or 3 layers of firewalls - the first 2 layers being the ones that were historically built-up and the 3rd layer, a concentrated firewall and internet provider hub which becomes 1) easier to attack because it's all in one point, 2) easier to fail for the same reason, 3) more difficult to maintain because you still need the hierarchy of departmental firewalls to prevent attacks from other departments or other points in the network.

Re:Well That Makes Sense (2, Insightful)

bearsinthesea (1619663) | about 4 years ago | (#31741992)

I think you have some misconceptions about PCI. "At best", I have seen PCI make companies improve firewall rules, secure WLANs, and encrypt your plaintext credit card numbers (for starters).

If someone has told you that PCI requires using a 3rd party provider for public networks, you should get a second opinion. I have never seen that required or implemented.

Similarly, your firewall problem seems specific to your implementation. PCI requires firewalls between public networks and the cardholder data environment. Internal firewalls are not required, but are usually used to limit the scope of PCI. You don't want to make your CEO or secretary's computer PCI compliant, so you use firewalls to isolate only the systems in the cardholder data environment. You don't -have- to do this, but it makes things easier. I don't understand specifically what you mean by "a concentrated firewall and internet provider hub", but it does not sound like something required by PCI. Although it may have been a system designed by your organization to make compliance easier.

Re:Well That Makes Sense (1)

Beryllium Sphere(tm) (193358) | about 4 years ago | (#31740624)

You might think so, and there are probably organizations where that's true, but in my practice I've been getting clients I never would have before who've been jolted out of apathy by finding that there are security measures that someone else is telling them to take.

Checklist Security... (4, Insightful)

Jah-Wren Ryel (80510) | about 4 years ago | (#31740202)

their security programs are driven mainly by compliance, rather than protection (PDF).

Sadly, this seems to be the way of the world. Even the things you would expect to be high-security, like classified information, tends to get this sort of treatment. I like to call it "Checklist Security" because most of the people doing security work are more interested in checking off steps an official procedure to CYA themselves than to make sure that whatever they are trying to protect is actually secured.

The TSA is another classic example - no containers of liquid greater than 100ml on the plane because that's on the checklist, but indiscriminate dumping of hundreds of them into one big trash bucket next to 30+ people in line at the checkpoint is fine because that's not on the checklist.

Re:Checklist Security... (1)

MartinSchou (1360093) | about 4 years ago | (#31740956)

The TSA is another classic example - no containers of liquid greater than 100ml on the plane because that's on the checklist, but indiscriminate dumping of hundreds of them into one big trash bucket next to 30+ people in line at the checkpoint is fine because that's not on the checklist.

It's always a fun discussion to have with the security personnel (just make sure it's not one you have at the airport).

"Suppose you saw someone with what looked like a hand grenade on his belt, would you tell him to just dump it in the bin?"
"Well, no, I'd call the cops on his ass and bring in the bomb squad."
"But the greater than 100 ml liquid container that might be an explosive, is dumped into the 100 liter bin with the 20 liters already in there?"
"Uhm ..."
"So now you have 20 liters of potential explosive liquids in that bin."
"Ehh ..."
"Suppose someone discarded an innocent looking packet of cigarettes into the bin, would you be concerned?"
"Well ... no. People throw all kinds of crap in there."
"And if I told you that you could build a small detonator that fits perfectly fine inside of an empty packet of cigarettes?"

Re:Checklist Security... (1)

Beryllium Sphere(tm) (193358) | about 4 years ago | (#31741142)

Box-checking mostly deserves its bad reputation, but I feel so sorry for it that I'm moved to defend it a little.

Box-checking helps prevent security-aware people from overlooking something.

Box-checking helps prevent security-unaware people from doing nothing.

Re:Checklist Security... (1)

Jah-Wren Ryel (80510) | about 4 years ago | (#31741432)

Box-checking mostly deserves its bad reputation, but I feel so sorry for it that I'm moved to defend it a little.

I'm a big fan of checklists as a tool. [smartplanet.com]
But in the security domain too often they are an end rather than a means.

Complying with the law is not wasted money (1)

Bearhouse (1034238) | about 4 years ago | (#31740206)

For corporate officers, it's essential.
The problem arises when scare resources, and inadequate competence, mean that 'are we secure?' becomes 'are we complying?'
Hence the tenancy to run towards out of the box 'solutions' that are often far from 100% secure.
We, (IT guys) have our share of responsibility; it's very difficult, (but not impossible), to get senior management to take this point seriously.
Tip: I normally wait for a 'AMG Google hacked by the Chinese' news item before pouncing...

CIP Anyone (1, Interesting)

Anonymous Coward | about 4 years ago | (#31740212)

Look up critical infrastructure protection for a good example of a waste of time and money. Nebulous requirements that are audited to subjective standards by an agency that is funded by the fines they generate. What could possibly be wrong with that? When you see your electric bill rising this would be at least part of the reason why. It started out with good enough intentions: hold utilities accountable for the security of the systems used to provide critical services. However in practice it's more about generating fines than it is about ensuring security.

It's more than IT compliance (4, Interesting)

grimsnaggle (1320777) | about 4 years ago | (#31740222)

My school, working with VW, built a new building for automotive projects. It has handicapped parking spaces, handicapped showers and bathroom stalls, male and female restrooms, and multiple chemical showers. There are few handicapped people in the school, fewer in engineering, and none on any of the automotive teams - for obvious reasons. There are also very few females, to the point that unisex bathrooms (like those used in more gender-normal parts of campus) would have been a fine option.

There's also wasted space for clearance around electrical panels (which are everywhere), inspection points, etc. All told, some 30% of the square footage of the new building is wasted by complying with regulations. And the government charged us $130/sq ft just for the permit.

And we wonder why China is whipping our ass...

Re:It's more than IT compliance (0)

Anonymous Coward | about 4 years ago | (#31740570)

Unless all the administration is run by engineering students, and you are never going to host any projects that may be useful to the disabled, those disabled facilities might actually see use. What are those chemical showers about, though?

Re:It's more than IT compliance (1)

oatworm (969674) | about 4 years ago | (#31740954)

Cars have chemicals in them and are frequently serviced with other chemicals. Ever get gasket remover on an un-gloved hand before? Heck, ever spray gasket remover on a latex glove? Now imagine getting some accidentally sprayed near your face or something similar. Not fun.

Re:It's more than IT compliance (1)

rickb928 (945187) | about 4 years ago | (#31740860)

$130/sq ft for the permit? Usually commercial buildings go for $145 [dcd.com]-$300 [jaypgreene.com]/sq ft. Maybe you meant $13/sq ft? Actually which 'government'? The one that operates the school, the one that runs things where the school is? Of course, if it's the Chatanooga school, well, doesn't seem so different from many places in the U.S. Not many 'governments' here charge you even half of the construction cost for permits, but ya learn something new every day.

And clearance around utilities and equipment isn't 'wasted space'. You will know this when you get out into a real shop for your first job and are happy for the wasted space around your lift. Just being able to let the snow drip off is reason enough for a little room. Being able to actually reach inspection points to find that first roof leak will be reason enough also. Resetting a breaker when your buddy saws through his power cord is so much easier when you don't have to move two vehicles out of the way. In the dark.

30% for clearance? Sounds pretty economical to me. The test assembly line will need that much alone.

Re:It's more than IT compliance (1)

Blakey Rat (99501) | about 4 years ago | (#31741326)

$130/sq ft for the permit? Usually commercial buildings go for $145-$300/sq ft. Maybe you meant $13/sq ft?

I'm confused by your "correction." He said $130, you say they go from $145-$300... sounds definitely close to the correct value to me. Then you propose he meant a value 10 times less? Huh?

Re:It's more than IT compliance (1)

rickb928 (945187) | about 4 years ago | (#31741648)

No, I said CONSTRUCTION COSTS were $145-$300/sq ft. The poster said PERMITS were $130/sq ft.

I seriously doubt permits go for any appreciable fraction of building costs. Some local levy might, but permits? After about 15% I would think something is wrong.

Of course, there is always something wrong with the permitting process...

Re:It's more than IT compliance (1)

bill_mcgonigle (4333) | about 4 years ago | (#31741860)

I'm confused by your "correction." He said $130, you say they go from $145-$300... sounds definitely close to the correct value to me. Then you propose he meant a value 10 times less? Huh?

I think he's saying permit fees are approximately equal to building costs in his jurisdiction.

Re:It's more than IT compliance (2, Insightful)

vlm (69642) | about 4 years ago | (#31741106)

Sometimes things are overbuilt for future use. For example in my area a large building at the local CC was designed and built for a "printing industry center of excellence". Crashed and burned, now they have general ed classes in the empty rooms.

The womens bathrooms will get more use when VW moves out and nursing holds some classes in the empty rooms. Or the handicapped folks training to become accountants, or whatever.

I find it highly unlikely you'll pay $130/sq for a permit alone. Maybe total project cost from say go until first class is held.

Sounds about right (2, Interesting)

VTI9600 (1143169) | about 4 years ago | (#31740252)

What TFA refers to as "custodial data" (customer PII, CC numbers, etc.) *should* be protected by compliance with government and industry-specific regulation. If a company wants to shoot itself in the foot by not protecting intellectual property, trade secrets, sales leads, etc. then let them. CxO's far more likely to be paranoid about security of their precious secrets than with their customer's data anyway, since one is an asset while the other is a burden (security-wise).

Re:Sounds about right (1)

Hognoxious (631665) | about 4 years ago | (#31740770)

How do you protect intellectual property data and at the same time allow people to work on it?

Re:Sounds about right (1, Funny)

Anonymous Coward | about 4 years ago | (#31740944)

Infect them with a deep-structure metavirus that allows easy human neuro-programming. Preferably with some nam-shub protection in version 2. Side effects include glossolalia, and one in 20 subjects needing an antenna grafted to their skull for efficient 'me' broadcasting.

Re:Sounds about right (1)

oatworm (969674) | about 4 years ago | (#31741046)

Use the usual suspects - auditing and access controls. Make sure nobody that shouldn't or needn't have access to it does and keep track of when/where/what/how/why those that do are accessing it. Many of the security regulations deal with the "what" part (PCI-DSS says you normally don't get to keep your customer's credit card number, no matter how profitable it might be for you to keep it lying around in an Excel spreadsheet somewhere) and the "how" part (no, you don't get to access your medical network through an unsecured, unencrypted wireless LAN).

Re:Sounds about right (1)

Hognoxious (631665) | about 4 years ago | (#31741546)

Make sure nobody that shouldn't or needn't have access to it does

How can someone work on it when they don't have access to it? You know, we want to stop our sales people having access to the customer database - that kind of thing. Well confiscate their pencils and poke their eyes out...

Re:Sounds about right (1)

oatworm (969674) | about 4 years ago | (#31741732)

Easy. First, define what parts of the customer database they absolutely need access to and what kind of access they need. Does every salesperson need all of the information about every customer, or can you just hand them the customer records that they absolutely need? Are there certain records in the database that you don't want them overwriting (pricing/financial/etc.) that they do need write access to? Are there certain records that they absolutely do not need to be able to read?

Then, once you've identified and defined what parts of the database they need access to and the minimum level of access they need to those parts to get work done, you then audit everything they're allowed to touch. Who edited this record when? When did Bob Salesguy last view this record? When did Jill Salesgirl create this customer record? Who updated the contact name and address on Fabrikam Northwinds, Inc.?

Of course, once you've defined what kind of access you want to provide and how much of an audit trail you need, the next step is to see if your existing infrastructure can support that. Are there parts missing (parts of the audit trail, etc.)? Is it technically impossible or really difficult with what you're currently using (database is in an Access DB that can be carried on a USB stick)?

Ultimately, it all comes down to least privilege. You want to give them the least amount of access possible that lets them do their jobs, and not a whit more. Define how to do that and you've defined a security process.

DDA compliance (1)

kiehlster (844523) | about 4 years ago | (#31740256)

Maybe security compliance might be a waste of money (eg, security through obscurity), but lets not forget that if your website isn't accessible to the disabled that you can be sued for it. I'm not sure if there are any state or federal mandated security requirements, but I imagine consumers can sue you after a break-in when you're not security compliant.

Duh! (1)

LazLong (757) | about 4 years ago | (#31740388)

Learned this at LLNL. The computer security people there don't care about real security, they care about compliance. Else, they wouldn't have non-technical people such as ex-secretaries auditing and approving compliance with internal and US gov't regulations. "What is this dhcp thingy you are talking about?" "What is a domain?" "You're using logic; this is computer security."

Seems to be a typical management mentality - _appearing_ compliant, while not achieving the goals that the compliance is supposed to achieve.

Re:Duh! (1)

Daniel Dvorkin (106857) | about 4 years ago | (#31740664)

What you say is true, but has nothing to do with what's being discussed in TFA. Read it again -- they're very cleverly conflating the "compliance vs. actual security" issue, which is a real and valid concern, with the "stupid Feds are making us spend money on protecting worthless crap like individual credit and medical records instead of the IP that makes us money!" whine, which should be dismissed immediately by any rational person.

Re:Duh! (1)

ePhil_One (634771) | about 4 years ago | (#31741500)

Actually, I suspect its even better than that. They are comparing the "Value" o Corporate IP vs the "Value" of Personal information. What metrics did they use, Black market prices (your personal info isn't worth much), potential monetization via advertising, how much thieves could earn from you stolen identity, or how much it would cost tooffer every ID stolen a credit watch service (astonomical costs)?

Its simple, compliance forces you to categorize Personal info as needing the highest protection, just rate you corporate IP as the same category and the two budgets are practically one. Hell, they often are, as the client list is often the most important IP in a company. Maybe the secret formula to Coca-Cola is more valuable, but most companies don't really have that valuable IP, their value is in Brand, people, and inertia, which can't be stolen.
 

the summary is wrong (1)

sweatyboatman (457800) | about 4 years ago | (#31740438)

Enterprises devote 80% of their security budgets to two priorities: compliance and securing sensitive corporate information, with the same percentage (about 40%) devoted to each.

So, the same amount of money is being spent between compliance and securing IP.

The paper suggests that companies should put more emphasis on the securing IP (trade secrets, etc.) and less on compliance. (Even after taking into consideration the penalties and punishments of a compliance failure)

It should also be pointed out that by compliance they mean all efforts to secure other people's information. So not just federal requirements, but also contractual obligations, and private lawsuits and PR problems that such security failures would entail.

from the paper:

We identified two kinds of information that have clear and tangible value.
Proprietary company secrets generate revenue, increase profits, and maintain competitive advantage. In addition,
custodial data such as customer, medical, and payment card information has value because regulation or contracts
make it toxic when spilled and costly to clean up. We explain each below.

Common sense at last (0)

Anonymous Coward | about 4 years ago | (#31740456)

In many cases, the process of being "compliant" consists of replacing one set of vulnerabilities with another. Or writing up a ton of documentation that explains a set of policies and procedures -- knowing full well that there are gaping holes in operational practices and easy circumvention methods for anyone who wants a unilateral exemption.

I know of one organization that had a boatload of corporate governance, security and compliance audits, extensive corrective action reports for each "finding", etc. And yet, along comes an outsourced programmer who leaves a privileged database password embedded in a file that was exposed to the internet via the company's website. They were offline for a few days, assessing just how thoroughly their systems were compromised the hackers attacked.

This particular organization had a huge number of IT "management" staff, but most of them were converted from finance and had weak IT skills. Their emphasis on compliance came at the expense of operational competence. E-mail, database, or file servers might take a day off every now and then for the crisis du jour, but by golly they had corporate governance!

My point too! (1)

DRAGONWEEZEL (125809) | about 4 years ago | (#31741734)

I was AC in a similar post and subsequently got modded down similarly.

This particular organization had a huge number of IT "management" staff, but most of them were converted from finance and had weak IT skills. Their emphasis on compliance came at the expense of operational competence. E-mail, database, or file servers might take a day off every now and then for the crisis du jour, but by golly they had corporate governance!

The key part for me is your first sentance here. Where I work, we have the same issue. IT people who don't "Love" computers, who are more process & workflow people than true tech geeks. Process and workflow is important, VERY important, and I'm not saying those people shouldn't be where they are, but you need to have a mix of skills. Those tech people can do MORE than just comply w/ the law, but help a corp. exceed the standards set by organizations and laws such as HIPPA.

The report is plain wrong IMHO (1)

hugetoon (766694) | about 4 years ago | (#31740458)

In figure 1 of the report one can read that consequences of custodial data leak would be cleanup and notification costs.

However here's an exerpt from a randomly picked PCI-DSS FAQ (http://pci.evolve-online.com/pci-faqs.asp)

"
What are the penalties for non-compliance?
In the event of a security breach, penalties for non-compliance are imposed. We understand currently these to be in the order of:

        * Fines at the rate of 5 euros per compromised account
        * A breach fee in excess of 100,000 euros per incident
        * Possible restrictions on the merchant
        * Permanent prohibition of the merchant's participation in Visa and MasterCard programs
        * Beyond compliance, business risks relative to brand, customer loyalty and company valuation exist if the cardholder data is not securely managed
"

Disclamer: I do PCI-DSS audits

Re:The report is plain wrong IMHO (2, Insightful)

sweatyboatman (457800) | about 4 years ago | (#31740646)

the report doesn't actually say that companies should not spend money on compliance. the summary says that, sure, but this is slashdot.

the paper says that the costs to companies of IP theft is far larger than for data leaks.

since companies cannot spend less on compliance, clearly the point is to get them to spend more on IP security. Which might be why Microsoft and RSA commissioned the paper in the first place. Now they can go into corporate board rooms and say "Yes, you already spend $X millions on security, but this report shows why you should spend $2X millions more on our new and improved security!"

Re:The report is plain wrong IMHO (1)

hugetoon (766694) | about 4 years ago | (#31741284)

I was talking about the report, not the summary.

I agree with Your analysis of the agenda.

Yet the report is wrong in the sense that it understates (intentionally?) value of being compliant.

Ironically the point of view of authors is a good illustration of Economics of Security http://en.wikipedia.org/wiki/Economics_of_security [wikipedia.org].

The word penalty isn't used even once in the document while compliance efforts are mainly driven by the need to avoid penalties because penalties are the main impact (otherwise there would be no need for regulations).

One of two ways (5, Insightful)

david_thornley (598059) | about 4 years ago | (#31740486)

The point of these regs is that the corporation and its clients have diverging interests. It's in my interest that my medical records not be publicly distributed (well, it certainly could be), but releasing them wouldn't really matter to the companies that keep them. Since I don't have much of a choice of companies, and can't audit these companies, market forces are inadequate to protect my interests.

Therefore, the government steps in. There are three ways the government could do this. One is to prescribe security measures. One is to allow me to sue for a whole lot of money in statutory damages if my privacy is breached. This gives the company some incentive, but it means that a large breach (despite what may be good security measures) kills the company. The last way is to have criminal penalties for data breaches, and that has the same result.

The prescribed security measures are actually the safest way for a given business. They require some expense, but they're also a form of insurance.

As far as the company's vital data goes, well, protecting their data is up to them. They have the resources, authority, and incentive. They have resources and authority to protect my data, and I have the incentive.

Re:One of two ways (1)

vlm (69642) | about 4 years ago | (#31741256)

but releasing them wouldn't really matter to the companies that keep them

Carrot or stick? Stick seems a miserable failure. Lets try carrot.

Allow them to sell your records for a minimum high fixed cost. You know they trade them for free right now. High enough that the market is pretty thin indeed. Lets say $100K and you are required to get a cash kickback of $X per sale. If your info is publicized, their balance sheet is ruined since no one would buy from them and you can sue them for your kickback. They'll just discount the cost off their balance sheet onto some kind of NPV calculation, but at least its a start.

Truth be told (1, Informative)

Anonymous Coward | about 4 years ago | (#31740852)

I work in Healthcare IT.

HIPAA just freaks people out. It is in most respects far less stringent than state law, yet, the word strikes fear into the hearts of management. It's such a frustrating "buzzword" to hear from a sales rep that I have to focus not to discount anything they say after the words: "HIPAA compliant." It's like telling someone they won't get a virus if they have Norton installed. HIPAA basically says you have to take reasonable measures. A password protected account is a reasonable measure by their definition. Sure, it's better than nothing, but never as strong as many other good habits we have around security. Compliance w/ a static law does nothing to maintain security in the future, let alone today, and anyone in the IT field surely knows that true "security" is a balance between functionality, ongoing education, and administration such that business needs are met, privacy is expected, policies are strict enough to block most crap and leinient enough to allow work to get done. Unfortunately, I concur that far more emphasis is placed on "meeting" regulatory compliance, and not EXCEEDING compliance.

I'm posting Anonymously because my location, name, and career, combine to form a unique ID that would easily identify me since I'm in a small town.

How did they measure compliance? (2, Interesting)

prgrmr (568806) | about 4 years ago | (#31740864)

The HIPAA regs have a lot of criteria for data protection, but practically nothing about how to implement or measure a given implementation for that criteria. I worked at a hospital where the CIO honestly thought that having a backup tapes and spreadsheet of prioritized servers to bring back up in the event of a disaster was a sufficient D.R. plan to cover what HIPAA required. So how did the study measure compliance?

The ansewr is that they didn't. Nor did they measure effectiveness of compliance-based processes and procedures, nor did they take into account the benefit of being in compliance. There's a chart in the .PDF that contrasts "custodial data" with "secrets". One of the criteria is Consequences. For "Secrets", the consequence is revenue loss, which is not necessarily automatic; however, they don't list revenue loss for "custodial data", even though there will be some, even if short-term, drop-off in business due to the incident.

The study is presented from the bias that the two commissioning companies wanted, namely to drum-up a motive via this presumably expertly manufactured need for greater security for security's sake. And you can bet that both Microsoft and RSA are going to be using this study to drive more product sales, and doing so from the perspective that better overall security equal better compliance--whether it actually does, or not.

I totally agree. (0)

Anonymous Coward | about 4 years ago | (#31741930)

I didn't get the chance to read the article, was just posting my thoughts based on the summary. It seems you get what I'm saying though, and I guess in a way, I'm advocating what they are saying because of my experiences in HC IT. You are correct that custodial data has value. It has far reaching value to the people who generated the data, but more in that it's a huge liabillity. The cost of carrying a liabillity is $0.00 until something happens, and it allways does. The cost of carrying liabillity insurance.(aka regulatory compliance in this context) is a little more, but somewhat measurable. The cost of decent security is the cost of compliance + the cost of additional resources as determined necessary by risk assesment, which is not imediately measurable, but not exactly unobtainable.

Risk assessment (1)

Beryllium Sphere(tm) (193358) | about 4 years ago | (#31740886)

This isn't an either/or question. An organization should step back, do an inventory (*much* easier said than done), and weigh the consequences and likelihood of a range of Bad Things, in other words a risk assessment.

A relatively unnoticed provision of PCI requires doing a risk assessment, and you'd better do a risk assessment for HIPAA as well.

If you do a risk assessment right, then you'll be led to spending money in the places where it does the most good. If a regulation prompts you to do one, then it has served security in general.

Accounting (2, Insightful)

Herkum01 (592704) | about 4 years ago | (#31741010)

Compliance is about appeasing the corporate bureaucrat with something which they can measure. Why do you think they hate IT, they don't know how to measure anything. Better to make up a measurement and pretend it means something rather than spend time and effort in something you have no interest and really don't understand.

cost vs benefit (1)

DaveGod (703167) | about 4 years ago | (#31741028)

TFA argues that more money should be spent on security than compliance because security is worth more. This makes a big assumption that each $ spending is equally effective wherever it is spent: it may simply be more expensive to provide an acceptable level of assurance over compliance. Cost vs. benefit.

Secondly, their concept of "valuable" seems to refer to their value as assets, but compliance is more about reducing the risk of potential liability. Compliance is required. Maybe it's with good reason, maybe it's red tape, either way doing it probably appears to add no value but the consequences of not doing it may be ultimate. If a plausable consequence of non-compliance is the total failure of the company, say through legal action or customers deserting, it is therefore not possible for anything to be more valuable to the company than compliance.

e.g. Sarbanes–Oxley (0)

Anonymous Coward | about 4 years ago | (#31741148)

Considering our current financial oh-noes, what has Sarbanes–Oxley achieved other than create an industry out of compliance? Worse - spawning dreaded Regulatory Compliance droids busting balls at every opportunity. Thankfully they have proved themselves redundant.

Of course we need some kind of rules, but more importantly, there needs to be a huge shake up of corporate governance.

Re:e.g. Sarbanes–Oxley (0)

Anonymous Coward | about 4 years ago | (#31742040)

Of course we need some kind of rules, but more importantly, there needs to be a huge shake up of corporate governance.

That was the entire point of sarbox: the chief officers are held responsible for the financial statements that they signed, and to end the era of executives who feigned stupidity when asked "do you have any idea what your company was doing?"

Doing this required plugging all the loopholes that executives had used to deflect blame. "I never saw that memo" (funny, the audit log shows that you not only read it, you forwarded it to your lawyer). "That's odd, when I signed it, I know it said $x here, I would never have signed it had it said $y" (funny, access control says that you're the only person who can change that number. And the audit log shows that you changed it. After you sold your stock in the company).

It should have been such a simple thing, but the problem is that it was left excessively open-ended in an attempt to head off any executives who try to get creative as a way around the controls. Because of that, it ended up with requiring people to stop and check everything they do to make sure that it wouldn't be interpreted as such an end run.

News Flash: Life boats no help in desert! (2, Interesting)

cenobyte40k (831687) | about 4 years ago | (#31741204)

The idea behind those laws are not about protecting the company, it's about protecting the consumer and investor in that company. They are designed to give the same protection to the little investor, or individual customer the company doesn't care about as the big guy the company could have trouble with if they piss off. I know that these laws don't always work that way, but to say they don't help protect the company is like saying that life boats aren't worth anything because don't help people trapped in the desert. It the boat doesn't help people at sea then it's worthless and we should do something about it. I don't care if Murder being a crime doesn't help against rape, I still want it to be a crime.

Well of course (2, Informative)

ZouPrime (460611) | about 4 years ago | (#31741440)

The reason why security programs are geared toward compliance is because that's what sells to stakeholders!

A security manager in a typical organisation can rarely go see his boss to ask for massive investment in security without being laughed at. Security cost money, and without facing a real, quantifiable risk, his boss simply won't care. Obviously your mileage may vary depending of your boss cluelessness, your ability to efficiently sell fear, and your industry.

Compliance, on the other hand, is scary. There are penalties directly associated with non-compliance, and you know someone will actually come here and check if your compliant or not. So the risk is very direct and very obvious. That's why it's a much easier sell.

Of course, standards and regulations are designed to enforce security to begin with. Not saying that they are always succeeding, but at least they try to. So in the end, being compliant to a security standard does helps your organisation's security. The issues arise when one try to game the compliance, by falsely reporting which assets are critical for example. But if you're ready to lie (or bend the truth) around compliance, I don't see why you wouldn't do the exact same thing for security if you were let alone with your own risks.

More "corporate personhood"? (1)

ArtFart (578813) | about 4 years ago | (#31741720)

This suggests (or admits) that companies practice a calculus regarding safeguarding of sensitive data whose release might cause harm to others. Particularly with respect to HIPAA, the impications are odious. It's saying that your organization actively weighs the trade-off in profitability between doing the absolute best that can be done to safeguard sensitive information about individuals, versus taking the hit in fines or monetary liability if there is a serious breach. That's like stating with a straight face that the well-being of your customers or employees really doesn't count for a tinker's damn.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...