Ten years ago, self-regulation through the implementation of good security practices was thought to be the way organizations would protect their, and our, sensitive data but the number of reported security incidents demonstrates that self-regulation doesn't actually work. It's like hoping that a kid does his home work only because he fully understands all the benefit for himself. Actually, this kind of self-governing behaviour requires some level of maturity and a deep self-consciousness of the risks faced.
The use of compliance to improve security
When self-regulation doesn't work, the stick is not far away. As a result, the upsurge in the number of contractual and legal obligations in the form of compliance programs imposed to organizations in their respective business sectors.
As a consequence, nowadays compliance is a fact of life. Companies strain under requirements from state privacy laws, healthcare laws, industry regulations and all manner of contractual agreements with customers and partners. These rules and regulations often require organizations to protect sensitive data from threats to confidentiality, integrity or availability. They may also demand that organizations maintain uptime, recover from losses, monitor use, and undergo audits.
While compliance may require some understanding of security, it has as much to do with governance, process and documentation as it does with technology. Furthermore compliance responsibility is often spread among the legal department, privacy officers, audit, human resources and, of course, IT security.
Facing the threat of financial penalties, legal proceedings or business disruption, companies unwillingly embark on this compliance journey. Unfortunately the consequences in terms of security aren't really positive. For the board, the objectives of compliance and security are very distant. Some companies reallocated the already small security budget to the compliance project and focus this budget and their resources on achieving compliance in the shortest (and cheapest) possible way.
Obviously companies do not comprehend, or do not want to comprehend, the underlying message behind compliance. Self-regulation doesn't work and the stick doesn't really help. Security remains the poor stepchild.
One must rethink about the problem. So let's step back and look at this question from another perspective: can we envisage a way to improve security through compliance? Probably, but we need to open our eyes and get creative. I would like to discuss this more with you so I've started a community group for this purpose. So please join the Compliance Paradigm group and let's talk.
Didier
