Compliance Is Wasted Money, Study Finds 196
Trailrunner7 writes "Enterprises are spending huge amounts of money on compliance programs related to PCI-DSS, HIPAA and other regulations, but those funds may be misdirected in light of the priorities of most information security programs, a new study has found. A paper by Forrester Research, commissioned by Microsoft and RSA, the security division of EMC, found that even though corporate intellectual property comprises 62 percent of a given company's data assets, most of the focus of their security programs is on compliance with various regulations. The study found that enterprise security managers know what their companies' true data assets are, but find that their security programs are driven mainly by compliance, rather than protection (PDF)."
Well... (Score:3, Interesting)
...considering we are a pharmaceutical call center, we pretty much have to invest heavily in HIPAA security.
CIP Anyone (Score:1, Interesting)
It's more than IT compliance (Score:4, Interesting)
My school, working with VW, built a new building for automotive projects. It has handicapped parking spaces, handicapped showers and bathroom stalls, male and female restrooms, and multiple chemical showers. There are few handicapped people in the school, fewer in engineering, and none on any of the automotive teams - for obvious reasons. There are also very few females, to the point that unisex bathrooms (like those used in more gender-normal parts of campus) would have been a fine option.
There's also wasted space for clearance around electrical panels (which are everywhere), inspection points, etc. All told, some 30% of the square footage of the new building is wasted by complying with regulations. And the government charged us $130/sq ft just for the permit.
And we wonder why China is whipping our ass...
Sounds about right (Score:2, Interesting)
How did they measure compliance? (Score:3, Interesting)
The ansewr is that they didn't. Nor did they measure effectiveness of compliance-based processes and procedures, nor did they take into account the benefit of being in compliance. There's a chart in the
The study is presented from the bias that the two commissioning companies wanted, namely to drum-up a motive via this presumably expertly manufactured need for greater security for security's sake. And you can bet that both Microsoft and RSA are going to be using this study to drive more product sales, and doing so from the perspective that better overall security equal better compliance--whether it actually does, or not.
Re:Naturally... (Score:4, Interesting)
And people wonders why so few startups are going on that may produce new jobs.
I've been to several startups in the past year that exist solely for compliance purposes. They'll have only a few customers, all large corporations. Typically they'll come up with some little scheme like building physical "appliances" that clients plug in to their internal network and voila all this stupid traffic is being logged and kept on record and emails are flying out to customers a mile a minute. On average these outfits hire a couple dozen people. Very dull jobs but they pay well.
News Flash: Life boats no help in desert! (Score:2, Interesting)
Re:Well... (Score:5, Interesting)
...considering we are a pharmaceutical call center, we pretty much have to invest heavily in HIPAA security.
No, and that's the point of TFA. You have to invest heavily in HIPAA compliance. I worked in banking for years, and got a pretty good picture of why it happens this way.
Here's how it was before compliance:
[Some random CIO guy] thinks we need X level of security, and that's what we get. But it turns out [SRCIOG] isn't too good at working out how much security we need, so we get hacked and lots of [patients/customers/federal agents] lose all of their [medical records/money/lives]. We fire [SRCIOG] and hire [SRCIOG2], but it turns out we have the same problem.
Compliance solves the arbitrary nature of the security level we aim at. We're now all aiming at Z, but the problem is [SRCIOG27] still doesn't really know what he's doing, and there's still budget pressure and he still doesn't think we REALLY need all that security because hackers happen to OTHER CIOs. So he looks at Z, and says "How can we meet each objective of Z in the cheapest and least intrusive fashion? After all, we have products to build, and research to do, and this compliance Z target is so expensive and annoying and FOR CRYING OUT LOUD DON'T TELL THE AUDITOR ABOUT THE OFFSITE BACKUP SYSTEM!!!?!"
So yes, people focus on compliance and spend lots of money to get minimal security: it's a bad solution, but it's better than just letting them set their own (often much lower) standards. Some organisations will get it right, spend the resources appropriately, and end up with a compliance solution which provides real benefits and isn't costly to maintain. The pack, by and large, spend the minimum possible up front, and keep spending and spending and spending every year in order to convince the auditors they're "making good progress".
Ultimately, compliance doesn't give us security. It gives us a big stick to beat people with when they blatantly ignore security.
PCI-DSS certification is a joke (Score:3, Interesting)
I have a merchant account for my performance shop. I'm required by my merchant account bank to submit to "certification" via PCI-DSS. Certification consists of logging into a site yearly and answering a series of questions, such as "Are customer receipts printed so that no more than the last 4 digits of the customer's CC number are printed, with no expiry dates or CVVs?" It's like the psych tests you take for a government job: You basically answer what you believe they want to hear.
The cost for this "certification" process? $100 a pop. I have no choice...get "certified" or lose my account.
Re:Naturally... (Score:3, Interesting)
PCI-DSS isn't government, though. It's supposedly an "industry coalition" but what it really is, mostly, is Visa.
If anything goes wrong, the merchant involved can be found to be in violation - everyone is in violation if you look hard enough - so it's the merchant's fault.
I read an article somewhere that said merchants should just find the cheapest, least competent auditor they can, and get them to declare the merchant PCI-DSS compliant, then do what you think is right to be secure.
Anything else is just wasted money - because if there's a breach, by definition, you were insecure, and therefore not PCI-DSS compliant.
So get the paper, then make yourself as secure as you possibly can, ignoring the BS from the auditors who don't really understand your environment.
I"m not saying I 100% agree, but it is an interesting argument.
Re:wasted? (Score:3, Interesting)
Are you sure it's true? It might be, but it could also be that overall, every 100 dollars spent on security reduces fraud by only 60 dollars. Your point about where the burden falls is valid, but for the economy as a whole it's be better to just not bother.
I'll counter with the same question: Are you sure it's true? PCI-DSS is an unusual example, because it's market-driven and there is competition. The PCI-DSS was developed by MasterCard. VISA have their own (similar) compliance program. American Express do something different again. There are all sorts of smaller card schemes which would like to compete, again with their own rules. VISA and MasterCard focus on security, while smaller schemes often go for enhanced services or lower fees. Again, PCI-DSS is driven by whatever generates the most Ferraris (which while not necessarily great for consumers, is kinda the foundation of capitalism - and thus, hard to separate, at least for me).
In general terms, with things like medical privacy, doing it without a regulatory need generates 0 Ferraris. Doing it when there is a regulatory requirement (or at least, faking it) prevents the regulator from reducing your otherwise-positive Ferrari generation to zero (or worse, taking away Ferraris).
I agree that lots of things on 'The List' (when making sure you're compliant) are going to be value-less. Some of them are probably counter-productive, in that they take away from Money-You-Would-Totally-Spend-On-Voluntary-Compliance-Initiatives-Not-Ferraris. But that was kinda my point: MasterCard doesn't care how many Ferraris YOU (as a bank/merchant/poor sucker who has to comply with PCI-DSS) earn. They care about how many Ferraris THEY earn. So you will install high-security mesh above your ceiling and encrypt all of your emails, even if neither of those things actually increases the security of your particular offering.
Sadly, MasterCard were neither incompetent, nor charlatans, nor idiots, when writing the PCI-DSS: they just weren't very interested in protecting your money, except so far as it protected theirs. So, when it comes to government departments developing compliance schemes, what are they protecting? Their own jobs and reputations. And the best way to get fired from a cushy government job writing compliance documents for HIPAA? Write something that lets millions of patient records become public. The best way to keep getting paid? Make sure it's so long-winded and complicated that it would take forever to train your replacement.
Thus, just like an under-graduate engineer on their first bridge design assignment: over-engineer, over-engineer, over-engineer.
There are four objectives (Score:3, Interesting)
There are two different objectives here, with (at least) two different processes. The first of these objectives is securing corporate assets. The second is securing sensitive individual information about people with whom the corporation does business. Security processes should ideally serve both objectives, but if that's impossible, then one process (or set of processes) has to be given prioroty over the other.
You are quite right, as far as you go. In fact, there are at least four objectives being served here.
(Disclaimer, I work at a large international investement bank)
3. Kissing corporate executive ass
4. Kissing government regulatory ass
Most of compliance falls into the latter two categories, and is about perception and ticking of boxes in corporate compliance forms far more than protecting assets. In fact, more often than not, the compliance requirements result in technical and bureaucratic logjams that are so onerous that the employees of the company are forced to route around them in order to do their jobs, resulting in far less security than would be in place of the compliance requirements were more sensible (and common sense) and less attorney driven. In either event, neither corporate nor customer security is enhanced...merely the bottom line of government bureaucrats, third party vendors, an entire division of the company whose sole purpose is to prostrate themselves before the ass of said parties, and the most important bottom line of all: ticking off a few annual objectives of some of the higher-up executives so they can "show their impact" and pad their bonus.
Day-to-day operating procedures are routinely decimated by this, but that only affects the bonuses and bottom line of the lower ranks and the day-to-day security of the firm...hardly a concern (after all, if something does happen, there's always someone (far) beneath said executives to fire).