Forgot your password?
typodupeerror
Security Businesses Microsoft The Almighty Buck IT

Compliance Is Wasted Money, Study Finds 196

Posted by Soulskill
from the missing-the-point dept.
Trailrunner7 writes "Enterprises are spending huge amounts of money on compliance programs related to PCI-DSS, HIPAA and other regulations, but those funds may be misdirected in light of the priorities of most information security programs, a new study has found. A paper by Forrester Research, commissioned by Microsoft and RSA, the security division of EMC, found that even though corporate intellectual property comprises 62 percent of a given company's data assets, most of the focus of their security programs is on compliance with various regulations. The study found that enterprise security managers know what their companies' true data assets are, but find that their security programs are driven mainly by compliance, rather than protection (PDF)."
This discussion has been archived. No new comments can be posted.

Compliance Is Wasted Money, Study Finds

Comments Filter:
  • Naturally... (Score:5, Insightful)

    by russotto (537200) on Monday April 05, 2010 @04:14PM (#31739964) Journal

    Screw up with your customers data, and the worst that happens is you get a PR black eye, or you lose money. Don't follow regulations and unless you've got a Congressman in your pocket, you can go to jail.

    • by sorak (246725)

      Screw up with your customers data, and the worst that happens is you get a PR black eye, or you lose money. Don't follow regulations and unless you've got a Congressman in your pocket, you can go to jail.

      Agreed. What statistics should they be showing to make "obey the law" a priority? And what part of this summary shows that it is currently too much of one?

      • Re:Naturally... (Score:5, Insightful)

        by Anonymous Coward on Monday April 05, 2010 @08:43PM (#31743568)

        Posting anonymously for semi-obvious reasons....

        I work for a Fortune 200 firm. We have branches in all 50 states (and many countries as well, but I'm in the US division.)

        Every locality - city, state, whatever - has its own little set of laws. Some of the tax laws are very complex. Our software can't handle all of them.

        So every one that comes up, one of the questions that go into the decision making is this: How big is the fine if we don't?

        If the defined fine is less than it will cost to implement the change, sometimes we let it go and figure we'll pay the fine if we're caught.

        On the other hand, it's absolutely true that compliance gets a higher emphasis and a higher visibility than actual security. We're redoing our credit card processing at the moment, and although the new implementation meets the PCI-DSS regulations better than the old one (in other words, it does) it also has a much larger potential for major data loss.

        The old architecture was totally decentralized. You would have to compromise each of our locations to get their credit card data.

        The new one is centralized. Compromise one server and you've got it all.

    • by Z00L00K (682162)

      All too true - screw up the Sarbanes-Oxley act and you will be thrown with some interesting instruments up your rear end.

      And if you screw up some decree by DHS or any other department with three letter acronyms you will get roasted slowly over a pit and then thrown to the polar bears. If you have a congress man or senator handy you may be able to avoid the polar bears but you may also have company instead when you visit them.

      And people wonders why so few startups are going on that may produce new jobs. It's

      • Re:Naturally... (Score:4, Interesting)

        by MillionthMonkey (240664) on Monday April 05, 2010 @05:12PM (#31741020)

        And people wonders why so few startups are going on that may produce new jobs.

        I've been to several startups in the past year that exist solely for compliance purposes. They'll have only a few customers, all large corporations. Typically they'll come up with some little scheme like building physical "appliances" that clients plug in to their internal network and voila all this stupid traffic is being logged and kept on record and emails are flying out to customers a mile a minute. On average these outfits hire a couple dozen people. Very dull jobs but they pay well.

  • by Citizen of Earth (569446) on Monday April 05, 2010 @04:16PM (#31739994)
    The purpose of the 'process' is to serve the 'objective'. When serving the process becomes the objective, you're boned.
    • by Daniel Dvorkin (106857) * on Monday April 05, 2010 @04:28PM (#31740258) Homepage Journal

      There are two different objectives here, with (at least) two different processes. The first of these objectives is securing corporate assets. The second is securing sensitive individual information about people with whom the corporation does business. Security processes should ideally serve both objectives, but if that's impossible, then one process (or set of processes) has to be given prioroty over the other. As a customer of, say, Amex or Cigna, I care a whole hell of a lot more about the second objective than the first, so it doesn't displease me at all that the processes related to that objective are well-funded.

      • Not true. A well designed process could serve both objectives - if they're mutually exclusive then explain how - but frequently what passes for designing a process is actually an exercise in box ticking that over time can become a process in itself.

        • But there are two different objectives, one is fostering the corporate profits and the other is public safety. As much as we decry regulations what would it be like if there were no traffic lights or stop signs, or even worse, there were but people did not pay attention to them. The stop lights do a tremendous lot of good , they reduce moving accidents to close to zero while allowing cars to speed along through light after light, when things are timed well, without stopping, maintaining a even speed. That s

      • There are two different objectives here, with (at least) two different processes. The first of these objectives is securing corporate assets. The second is securing sensitive individual information about people with whom the corporation does business. Security processes should ideally serve both objectives, but if that's impossible, then one process (or set of processes) has to be given prioroty over the other.

        You are quite right, as far as you go. In fact, there are at least four objectives being served h

    • When serving the process becomes the objective, you're... ... just following "Best Practices," right?

      It's really not that some things that end up in the conceptual bin labeled "Best Practices" are bad ideas. But there are two classes of people who are following/implementing them: those who understand the principles that gave rise to the rules, and those who don't. Becoming part of the former group generally takes a significant up-front investment. Becoming part of the later group doesn't. Meanwhile, the ben

  • Well... (Score:3, Interesting)

    by Pojut (1027544) on Monday April 05, 2010 @04:17PM (#31740008) Homepage

    ...considering we are a pharmaceutical call center, we pretty much have to invest heavily in HIPAA security.

    • Re:Well... (Score:5, Interesting)

      by Rophuine (946411) on Monday April 05, 2010 @06:58PM (#31742570) Homepage

      ...considering we are a pharmaceutical call center, we pretty much have to invest heavily in HIPAA security.

      No, and that's the point of TFA. You have to invest heavily in HIPAA compliance. I worked in banking for years, and got a pretty good picture of why it happens this way.

      Here's how it was before compliance:
      [Some random CIO guy] thinks we need X level of security, and that's what we get. But it turns out [SRCIOG] isn't too good at working out how much security we need, so we get hacked and lots of [patients/customers/federal agents] lose all of their [medical records/money/lives]. We fire [SRCIOG] and hire [SRCIOG2], but it turns out we have the same problem.

      Compliance solves the arbitrary nature of the security level we aim at. We're now all aiming at Z, but the problem is [SRCIOG27] still doesn't really know what he's doing, and there's still budget pressure and he still doesn't think we REALLY need all that security because hackers happen to OTHER CIOs. So he looks at Z, and says "How can we meet each objective of Z in the cheapest and least intrusive fashion? After all, we have products to build, and research to do, and this compliance Z target is so expensive and annoying and FOR CRYING OUT LOUD DON'T TELL THE AUDITOR ABOUT THE OFFSITE BACKUP SYSTEM!!!?!"

      So yes, people focus on compliance and spend lots of money to get minimal security: it's a bad solution, but it's better than just letting them set their own (often much lower) standards. Some organisations will get it right, spend the resources appropriately, and end up with a compliance solution which provides real benefits and isn't costly to maintain. The pack, by and large, spend the minimum possible up front, and keep spending and spending and spending every year in order to convince the auditors they're "making good progress".

      Ultimately, compliance doesn't give us security. It gives us a big stick to beat people with when they blatantly ignore security.

      • Re: (Score:3, Insightful)

        by RMH101 (636144)
        I spent 10 years in pharma IT. Compliance gives you, as the IT tech guy, a stick to hit the bean counters with to justify your security. You have serious licence-to-operative FDA tigers growling at you, and it's no longer acceptable to not bother with some reasonable baseline of security and repeatability - ComVal. If you need to spend a small fortune on fixing a security problem, you'll get it if you phrase your request in terms of compliance.
  • wasted? (Score:4, Insightful)

    by Lord Ender (156273) on Monday April 05, 2010 @04:18PM (#31740032) Homepage

    If you aren't compliant, you won't be able to sell certain services or take on certain customers. Being compliant is certainly not a waste from a business standpoint.

    • Re:wasted? (Score:4, Insightful)

      by CrimsonAvenger (580665) on Monday April 05, 2010 @04:25PM (#31740198)

      If you aren't compliant, you won't be able to sell certain services or take on certain customers. Being compliant is certainly not a waste from a business standpoint.

      Note that if the Feds required that all of your marketing department drive Rolls-Royces, then what you said would still be true.

      It would even be true if the Feds required that any software guy had to wear a clown suit to work.

      Neither of these things is at all relevant to your business, however. And the point of the article is that much of the (unnecessary) compliance requirements of various Federal laws are about as important as my two examples.

      • Re:wasted? (Score:4, Informative)

        by Jah-Wren Ryel (80510) on Monday April 05, 2010 @04:29PM (#31740280)

        FWIW - PCI-DSS is a requirement of Visa, Mastercard, et al. Not the feds.
        It is an acronym for "Payment Card Industry Data Security Standard."

        • Irrelevant - it's still an economic loss if it doesn't really add value[1] to the product or service being delivered.

          Lead lifejackets sink, regardless of whether they're ISO 9001 certified or not, and regardless of who requires that certification.

          [1] strictly, add more value than it costs

          • by idontgno (624372)

            OTOH, if your cruise line gets more bookings because you can advertise your ISO 9001 certified life jackets, it's quite possibly a business win. And if a passenger complains about the weight, you can make up some crap about shielding ("for your health") and cosmic rays.

            In other words "add value" actually means "add perceived value". The difference? Marketing.

          • Re:wasted? (Score:5, Insightful)

            by Rophuine (946411) on Monday April 05, 2010 @07:09PM (#31742686) Homepage

            The problem is that you're right. Compliance doesn't generally add value to the individual product or service. It adds value to the network or industry. Take PCI-DSS and the VISA and MasterCard networks.

            Each individual bank/merchant wants to spend the minimum possible. As one of 30,000 odd banks on the network, or one of however many millions of merchants, they think their odds of being involved in a major breach is pretty small, and the risk of a lot of people losing a lot of money is that they change their name and set up shop down the road (in the case of a merchant), or shake their head, say they're sorry, and spend a million bucks on a brand name security solution (in the case of the banks). If you spend a little bit of money before anything happens, you raise the bar a bit, and reduce your risk a bit, but still, YOUR customers don't really see any benefit to those fee rises, so lots of places just try to sit below the radar of the hackers and the scammers and the other random crims.

            Enter compliance: VISA and MasterCard say "hey, this sucks, nobody will spend money on security 'cause they think it won't happen to THEM. But EVERY SINGLE TIME IT HAPPENS, IT HAPPENS TO US. If each bank has one little problem once a year, we have THIRTY THOUSAND problems, and we're SICK OF IT." So they go to industry and say "you guys have to do this. And this. And this and this and this. And if you don't do it, we're gonna fine you a hundred grand. And if you don't pay the fine AND fix the problem, you're off our network, which pretty much means you're out of business."

            And VISA and MasterCard create a whole new industry, and lots of jobs, and it turns out having a minimum level of security (or at least, a big stick to hit people with if they don't bother with a minimum level of security) is actually a financial plus across the system as a whole, even if it's bad for the some of the businesses. And consumer confidence is up, too, so we have more people spending more money, so even the banks and the merchants are happy in the end (by and large). And VISA and MasterCard say "HEY! This is cool, our profit margins are much better. Let's pay ourselves bigger bonuses."

          • Lead lifejackets reminds me of a Navy joke I heard once. A new recruit was an absolutely useless swimmer, despite the repeated attempts to train him. Eventually his Drill Instructor yelled at him in frustration "Sailor, if your ship ever goes down, your best chance is to sink straight to the bottom as fast as you can and run towards the nearest coastline".
          • "Irrelevant- it's still an economic loss if it doesn't really add value to the product or service being delivered."

            Very interesting wording and probably the very basis of the last economic recession.

            What about trying to add value *to the customer* for a change instead of "to the product or service"?

            Since people like you won't think about it that way regulation becomes a must.

      • Re:wasted? (Score:4, Insightful)

        by Lunix Nutcase (1092239) on Monday April 05, 2010 @04:29PM (#31740292)

        So you think that the feds requiring people to protect your health records, for example, is a waste? Would you really rather go back to a time when the same companies didn't care? Sure these compliance laws are usually flawed in many ways, but since this holds the companies accountable for a minimum of data security at least they will do something whereas they would normally do nothing.

        • Re: (Score:3, Insightful)

          by Jah-Wren Ryel (80510)

          Would you really rather go back to a time when the same companies didn't care?

          I think I would because I would like to see the follow-on effects. I believe that most of HIPPA is smoke & mirrors, that violations are rampant and the requirements full of loopholes thus it gives a false sense of security to the public. I would rather the public be made acutely aware of the risks and that instead of just trusting that the law will protect the public, that we start relying on other mechanisms, like minimizing the data we give to health care companies and allow them to keep. It's a lo

          • Yeah, free market all the way, baby -- I mean, look what getting rid of regulation did for our banking choices!

            Oh, wait...
            • Yeah, free market all the way, baby -- I mean, look what getting rid of regulation did for our banking choices!

              You seem to misunderstand my point. The current situation with respect to HIPAA is more akin to regulatory capture than it is to actual regulation. Same thing with the result of the CDO fiasco and follow-on failures in banking - if the banks had not so effectively captured their own regulatory agencies and the entire government beyond them, we probably wouldn't have seen so many people willing to 'risk' all that money in the first place, and we definitely would not have seen the massive bailout that follo

          • Re:wasted? (Score:5, Insightful)

            by peragrin (659227) on Monday April 05, 2010 @05:18PM (#31741122)
            And that is why your delusions is worse. without HIPPA companies weren't held responsible because it was always some other companies fault. Every company could plead it wasn't us because there was no way to track who was actually responsible.

            There is a reason greed is a deadly sin among some religions. Let's try this another way. dec. of 2006 Circuit city BOD executives noticing a small drop in sales and in need of their bonus checks, fired their top 3000 sales earners. the top 3000 who the company paid the most in salary that weren't managers. But who also accounted for the majority of their sales. They paid themselves tens of millions of dollars in bonuses. By July 2007 Sales were a third of what they should be and by dec. 2007 most stores were closing up as the whole company was bankrupt.

            That same kind of executive thinking is found in the majority of CEO's. read http://money.cnn.com/galleries/2010/news/1004/gallery.top_ceo_pay/index.html?source=cnn_bin&hpt=Sbin [cnn.com] over half the people on this list have gotten major bonuses yet are still posting losses for the same year. Do you want that kind of thinking to have total but deniable control over your health? that is life without HIPPA.

            Just remember the vast majority of laws are there because someone abused something to the detriment of many. The law may not be perfect but having it is better than the alternative.
            • And that is why your delusions is worse.

              What do you mean by "that?" My belief that if people weren't mislead into trusting corporations that they would be less cooperative? Or that HIPPA is minimally effective? Or something else that you've projected on to my writings that I didn't say?

              Just remember the vast majority of laws are there because someone abused something to the detriment of many. The law may not be perfect but having it is better than the alternative.

              I don't agree that laws which are the equivalent of "doing something, anything, just do something!!" are better than encouraging people to think critically about their own risk exposure.

              Certainly the case of "The War On Drugs" is a behemoth of a counter example

          • . I believe that most of HIPPA is smoke & mirrors

            Maybe HIPPA is, but what about HIPAA?

            that violations are rampant

            Of which specific rules, and what is the basis for this belief?

            and the requirements full of loopholes thus it gives a false sense of security to the public.

            Actually, the fact that the part of the public that pays any attention at all hasn't felt secure even with the rules imposed under HIPAA is why those rules have been tightened substantially several times since they were initially imposed.

          • by Eskarel (565631)

            I miss HIPPA. I work in health IT in a country which doesn't have it(we have health security laws but they're a lot more general and vague), and not having it is more of a pain than having it.

            Security regulations are necessary because "Doing what you've asked for is a bad idea because of X" doesn't work unless X is "the government will come and throw your rear in jail". HIPPA isn't perfect, and regulatory compliance certainly eats up a lot of your time, but the default position for most execs in most indust

        • by Gerzel (240421)

          Go back in time? Many companies don't care now. In general the larger the company the less they care.

        • by e2d2 (115622)

          Yeah no doubt. Can you imagine how quickly your health records would make it to the data exchanges they use now to trade personal information? Facebook would wet it's pants. I see you suffer from migraines so you should friend Bayer Aspirin!

        • Re: (Score:3, Insightful)

          by WalkingBear (555474)

          Federal requirements to protect health records, financial data, personal information, etc.. are great things. Federal requirements that say "unlawful disclosure of X information will result in Y penalties" is definitely a good thing. Federal requirements stating *HOW* every business within an industry or even across all industries perform a function are outdated at best, counter-productive at worst, before the ink's dry on the legislation.

        • by pclminion (145572)

          So you think that the feds requiring people to protect your health records, for example, is a waste?

          I would rather that my health records are ACTUALLY protected, rather than companies simply complying with regulations which may, or may not, actually protect my health records. The point here is that a lot of resources are being expended in order to comply with regulations. Insofar as complying with regulations actually protects my data, I'm fine with that. But do the regulations actually make anything more

          • Re:wasted? (Score:5, Insightful)

            by Rophuine (946411) on Monday April 05, 2010 @07:12PM (#31742722) Homepage

            So yes, I think it's a waste that the government forces corporations to spend a shit ton of money doing things that don't actually help me, instead of spending that money actually securing my data.

            You're positing that if HIPAA was removed, industry would take all that wasted compliance money and spend it on security. I postulate that they'd instead take all that wasted compliance money and spend it on Ferraris.

        • but since this holds the companies accountable for a minimum of data security at least they will do something whereas they would normally do nothing.

          Amen to that. And, to expound on the the though, a lot of federal regulations are there for a reason, usually because someone was doing the very thing is prohibited to the detriment of the public's best interest. Rules are often there because there are always a few self interested jerks.
      • We the People have decided that certain types of compliance are relevant to certain businesses. If you don't like it, lobby to change the laws. You probably won't have a whole lot of luck convincing people that protecting personal medical data is in the same class as some absurd requirement like "wear a clown suit to work," though.

      • Re: (Score:3, Insightful)

        by Gerzel (240421)

        Neither is having a good fire escape strictly relevant to manufacturing shirt-waists, but it is still necessary for a good reason.

        You have to look at why the compliance regulations are there and not if the regulations themselves have anything to do with the business.

        The process is part of the goal in order to make sure things get done and done correctly. While yes many can indeed do things correctly outside of the process and many more might be able to muddle through the process is a form of insurance paid

      • Note that if the Feds required that all of your marketing department drive Rolls-Royces, then what you said would still be true.

        It would even be true if the Feds required that any software guy had to wear a clown suit to work.

        Neither of these things is at all relevant to your business, however.

        If the consequence of violating the federal requirements is large fines, throwing your noncompliant employees in prison, and prohibiting you from operating in your current line of business, then they all would be dire

    • Re:wasted? (Score:5, Informative)

      by Jer (18391) on Monday April 05, 2010 @04:30PM (#31740314) Homepage

      The title of the Slashdot summary is unsurprisingly misleading and inflammatory. Reading TFA it doesn't suggest that money going into compliance is "wasted" - it suggests that companies aren't spending enough money to protect their own IP from corporate thieves.

      IOW - the article suggests that companies are spending the same amount of money to protect so-called "custodial" data (i.e. information they've collected about their employees and customers that are protected by HIPAA and other statutes) and their own IP. But the financial losses from losing their own IP are substantially higher than the losses they'll incur through leakage of "custodial" data, so they actually should be spending more money protecting custodial data than they spend on protecting custodial data.

      The underlying assumption in the article is that, unless you've implemented your compliance stupidly, you actually can't fix this disparity by spending less money. You can't cut your budget on compliance because it's required by statute. So instead you should be spending more money on protecting IP assets so that the ratios more realistically reflect the importance of the data being protected. Money that Microsoft and RSA, the funders of the study, are happy to take to help you implement solutions to protect your oh-so-valuable IP assets.

      • by bar-agent (698856)

        The article says that more budget is spent on compliance than on security, but so what? I hope the audience for this report is smart enough to know that it is hogwash. I fully expect data security to be cheaper than compliance, so of course compliance takes up more of the budget. I mean, think about it. Once your data security infrastructure is in place, the on-going expenses aren't going to be too high. I don't think the same can be said about your on-going compliance expenses.

  • So you're saying (Score:5, Insightful)

    by compucomp2 (1776668) on Monday April 05, 2010 @04:21PM (#31740088)
    If there were no regulations and standards, then all the money would be funneled into actual security protocols?

    Doesn't seem like that would be the case, especially since they are now just "going through the motions" to ensure compliance with regulations. The companies may well ignore data security altogether. By complying with regulations there is at least some level of security.

    It's like the teachers' complaint that standardized tests force them to "teach to the test", well at least they're teaching something rather than nothing, which was the point of the test in the first place.
  • by Daniel Dvorkin (106857) * on Monday April 05, 2010 @04:21PM (#31740098) Homepage Journal

    If a company's IP is insecure, it may, possibly, lose some money. If data which falls under regulation is insecure, people go to prison. This is exactly as it should be, and so the "imbalance" is entirely appropriate.

    I suppose the folks at Forrester Research think that IP protection is more important than protecting, say, personal medical information. Fortunately, most people in the world are sane enough to disagree.

    • by Attila Dimedici (1036002) on Monday April 05, 2010 @04:32PM (#31740344)

      If a company's IP is insecure, it may, possibly, lose some money. If data which falls under regulation is insecure, people go to prison. This is exactly as it should be, and so the "imbalance" is entirely appropriate.

      I suppose the folks at Forrester Research think that IP protection is more important than protecting, say, personal medical information. Fortunately, most people in the world are sane enough to disagree.

      An important correction: if data which falls under regulation is not kept according to the regulation people go to prison. If following the regulation decreases the security of the data, no problem.

      • Re: (Score:3, Insightful)

        An important correction: if data which falls under regulation is not kept according to the regulation people go to prison. If following the regulation decreases the security of the data, no problem.

        Fair enough, and if you can show that following HIPAA regulations makes personal medical data less secure, go for it. But the article doesn't address this point at all. They're talking solely about the relative value of corporate IP vs. data such as medical and credit information which is covered by regulation, and making the (absurd, to most people with a brain) argument that because the first is more valuable to the corporation than the second, corporations should spend their security dollars accordingl

        • Re: (Score:3, Informative)

          by profplump (309017)

          I know for a fact that some insurers and claims processors have stopped using encrypted archives and moved to faxes for "secure" documents, because faxes only fall under the privacy rule, not the security rule, and their archive vendor would not indemnify them against security rule violations.

          I seriously doubt this is the only example of "following the specific rules decreases system security" related HIPAA or any other rule-based security policy/regulation. It's pretty much a given that any new rule you en

    • Who has gone to prison (in the US) for not securing data, pre the standards being discussed in the article?

      • Re: (Score:3, Insightful)

        Who has gone to prison (in the US) for not securing data, pre the standards being discussed in the article?

        Before the standards were in place? Nobody, of course. Which is why the standards were put in place!

        If you think the standards are unrealistic, or don't achieve their objectives, or could be implemented better ... fine, those are all valid points. But TFA doesn't address that at all. The point of HIPAA, PCI-DSS et al. is to ensure that corporations which deal with sensitive personal data take appropriate care with that data. Apparently some people in the exceutive suite are whining that they have to sp

        • No, since the standards were put in place, obviously. There have been some fairly extensive violations. Some companies have violated HIPAA multiple times. Who has gone to jail?
      • PCI is a contractual thing rather than a criminal law, and unless I'm unusually badly mistaken the criminal penalties of HIPAA only come up for deliberate breaches (e.g. selling Tiger Woods's STD report to the National Enquirer, as opposed to being careless with infosec).

        • PCI is a contractual thing rather than a criminal law, and unless I'm unusually badly mistaken the criminal penalties of HIPAA only come up for deliberate breaches (e.g. selling Tiger Woods's STD report to the National Enquirer, as opposed to being careless with infosec).

          You are mistaken: while the most serious category of criminal penalty under HIPAA (up to $250,000 fine and up to 10 years in prison) is reserved for offenses involving the intent to sell, transfer, or use individually identifiable health in

    • I suppose the folks at Forrester Research think that IP protection is more important than protecting, say, personal medical information.

      We can't make that supposition based on this paper.

      What we can suppose is that the people at Forrester Research think that getting paid to write white papers is more important than what they personally think. :)

      That's my view on Forrester, Gartner, etc.

    • by roman_mir (125474)

      Nobody in corporate world goes to prison for any violation, they get bailouts.

      People who go to prison from the corporate world are not going there for actual violations of the law but for different reasons. For example Bernard Madoff is in prison not because of anything that the government could do to him but because if he stayed out of prison he would have been dead by now.

  • by TheNinjaroach (878876) on Monday April 05, 2010 @04:23PM (#31740138)
    Regulations are in place to force companies to protect data that they would otherwise have very little incentive to protect. Protecting data that is important to the company itself comes naturally and does not require mandates.
    • Re: (Score:3, Informative)

      by guruevi (827432)

      The main problem with most compliance protocols (HIPAA or PCI) is that at best they do nothing at all, at worst it's actually counterproductive as it opens the company up to more breaches (due to human nature, laziness or conflicting policies).

      I am involved in both HIPAA and PCI compliance and in the past I have been involved with Sarbanes-Oxley as well. For example with PCI as well as Federal wiretapping compliance, you need to have your respectively wireless and public networks (if you're a de-facto wirel

      • Re: (Score:2, Insightful)

        I think you have some misconceptions about PCI. "At best", I have seen PCI make companies improve firewall rules, secure WLANs, and encrypt your plaintext credit card numbers (for starters).

        If someone has told you that PCI requires using a 3rd party provider for public networks, you should get a second opinion. I have never seen that required or implemented.

        Similarly, your firewall problem seems specific to your implementation. PCI requires firewalls between public networks and the cardholder data env
    • You might think so, and there are probably organizations where that's true, but in my practice I've been getting clients I never would have before who've been jolted out of apathy by finding that there are security measures that someone else is telling them to take.

  • by Jah-Wren Ryel (80510) on Monday April 05, 2010 @04:25PM (#31740202)

    their security programs are driven mainly by compliance, rather than protection (PDF).

    Sadly, this seems to be the way of the world. Even the things you would expect to be high-security, like classified information, tends to get this sort of treatment. I like to call it "Checklist Security" because most of the people doing security work are more interested in checking off steps an official procedure to CYA themselves than to make sure that whatever they are trying to protect is actually secured.

    The TSA is another classic example - no containers of liquid greater than 100ml on the plane because that's on the checklist, but indiscriminate dumping of hundreds of them into one big trash bucket next to 30+ people in line at the checkpoint is fine because that's not on the checklist.

    • The TSA is another classic example - no containers of liquid greater than 100ml on the plane because that's on the checklist, but indiscriminate dumping of hundreds of them into one big trash bucket next to 30+ people in line at the checkpoint is fine because that's not on the checklist.

      It's always a fun discussion to have with the security personnel (just make sure it's not one you have at the airport).

      "Suppose you saw someone with what looked like a hand grenade on his belt, would you tell him to just dum

    • Box-checking mostly deserves its bad reputation, but I feel so sorry for it that I'm moved to defend it a little.

      Box-checking helps prevent security-aware people from overlooking something.

      Box-checking helps prevent security-unaware people from doing nothing.

      • Box-checking mostly deserves its bad reputation, but I feel so sorry for it that I'm moved to defend it a little.

        I'm a big fan of checklists as a tool. [smartplanet.com]
        But in the security domain too often they are an end rather than a means.

      • by Qzukk (229616)

        Actually, box-checking is a great way of making sure everything on the list gets done (when you have a way to check to make sure that whoever is checking the boxes is actually doing the work and not just taking 30 seconds to fill in the blanks).

        The problems arise when the checklist is put together by people without a clue and/or has no mechanism for updating it in a timely manner. The checklist ends up missing important things that never get added or having extra checkboxes that don't fit the goal of the l

  • For corporate officers, it's essential.
    The problem arises when scare resources, and inadequate competence, mean that 'are we secure?' becomes 'are we complying?'
    Hence the tenancy to run towards out of the box 'solutions' that are often far from 100% secure.
    We, (IT guys) have our share of responsibility; it's very difficult, (but not impossible), to get senior management to take this point seriously.
    Tip: I normally wait for a 'AMG Google hacked by the Chinese' news item before pouncing...

  • by grimsnaggle (1320777) on Monday April 05, 2010 @04:26PM (#31740222)

    My school, working with VW, built a new building for automotive projects. It has handicapped parking spaces, handicapped showers and bathroom stalls, male and female restrooms, and multiple chemical showers. There are few handicapped people in the school, fewer in engineering, and none on any of the automotive teams - for obvious reasons. There are also very few females, to the point that unisex bathrooms (like those used in more gender-normal parts of campus) would have been a fine option.

    There's also wasted space for clearance around electrical panels (which are everywhere), inspection points, etc. All told, some 30% of the square footage of the new building is wasted by complying with regulations. And the government charged us $130/sq ft just for the permit.

    And we wonder why China is whipping our ass...

    • by rickb928 (945187)

      $130/sq ft for the permit? Usually commercial buildings go for $145 [dcd.com]-$300 [jaypgreene.com]/sq ft. Maybe you meant $13/sq ft? Actually which 'government'? The one that operates the school, the one that runs things where the school is? Of course, if it's the Chatanooga school, well, doesn't seem so different from many places in the U.S. Not many 'governments' here charge you even half of the construction cost for permits, but ya learn something new every day.

      And clearance around utilities and equipment isn't 'wasted space

      • by Blakey Rat (99501)

        $130/sq ft for the permit? Usually commercial buildings go for $145-$300/sq ft. Maybe you meant $13/sq ft?

        I'm confused by your "correction." He said $130, you say they go from $145-$300... sounds definitely close to the correct value to me. Then you propose he meant a value 10 times less? Huh?

        • by rickb928 (945187)

          No, I said CONSTRUCTION COSTS were $145-$300/sq ft. The poster said PERMITS were $130/sq ft.

          I seriously doubt permits go for any appreciable fraction of building costs. Some local levy might, but permits? After about 15% I would think something is wrong.

          Of course, there is always something wrong with the permitting process...

        • I'm confused by your "correction." He said $130, you say they go from $145-$300... sounds definitely close to the correct value to me. Then you propose he meant a value 10 times less? Huh?

          I think he's saying permit fees are approximately equal to building costs in his jurisdiction.

    • Re: (Score:3, Insightful)

      by vlm (69642)

      Sometimes things are overbuilt for future use. For example in my area a large building at the local CC was designed and built for a "printing industry center of excellence". Crashed and burned, now they have general ed classes in the empty rooms.

      The womens bathrooms will get more use when VW moves out and nursing holds some classes in the empty rooms. Or the handicapped folks training to become accountants, or whatever.

      I find it highly unlikely you'll pay $130/sq for a permit alone. Maybe total project

  • Sounds about right (Score:2, Interesting)

    by VTI9600 (1143169)
    What TFA refers to as "custodial data" (customer PII, CC numbers, etc.) *should* be protected by compliance with government and industry-specific regulation. If a company wants to shoot itself in the foot by not protecting intellectual property, trade secrets, sales leads, etc. then let them. CxO's far more likely to be paranoid about security of their precious secrets than with their customer's data anyway, since one is an asset while the other is a burden (security-wise).
    • How do you protect intellectual property data and at the same time allow people to work on it?

      • by oatworm (969674)
        Use the usual suspects - auditing and access controls. Make sure nobody that shouldn't or needn't have access to it does and keep track of when/where/what/how/why those that do are accessing it. Many of the security regulations deal with the "what" part (PCI-DSS says you normally don't get to keep your customer's credit card number, no matter how profitable it might be for you to keep it lying around in an Excel spreadsheet somewhere) and the "how" part (no, you don't get to access your medical network th
        • Make sure nobody that shouldn't or needn't have access to it does

          How can someone work on it when they don't have access to it? You know, we want to stop our sales people having access to the customer database - that kind of thing. Well confiscate their pencils and poke their eyes out...

          • by oatworm (969674)
            Easy. First, define what parts of the customer database they absolutely need access to and what kind of access they need. Does every salesperson need all of the information about every customer, or can you just hand them the customer records that they absolutely need? Are there certain records in the database that you don't want them overwriting (pricing/financial/etc.) that they do need write access to? Are there certain records that they absolutely do not need to be able to read?

            Then, once you've i
  • Maybe security compliance might be a waste of money (eg, security through obscurity), but lets not forget that if your website isn't accessible to the disabled that you can be sued for it. I'm not sure if there are any state or federal mandated security requirements, but I imagine consumers can sue you after a break-in when you're not security compliant.
  • Enterprises devote 80% of their security budgets to two priorities: compliance and securing sensitive corporate information, with the same percentage (about 40%) devoted to each.

    So, the same amount of money is being spent between compliance and securing IP.

    The paper suggests that companies should put more emphasis on the securing IP (trade secrets, etc.) and less on compliance. (Even after taking into consideration the penalties and punishments of a compliance failure)

    It should also be pointed out that by compliance they mean all efforts to secure other people's information. So not just federal requirements, but also contractual obligations, and private lawsuits and PR problems t

  • One of two ways (Score:5, Insightful)

    by david_thornley (598059) on Monday April 05, 2010 @04:39PM (#31740486)

    The point of these regs is that the corporation and its clients have diverging interests. It's in my interest that my medical records not be publicly distributed (well, it certainly could be), but releasing them wouldn't really matter to the companies that keep them. Since I don't have much of a choice of companies, and can't audit these companies, market forces are inadequate to protect my interests.

    Therefore, the government steps in. There are three ways the government could do this. One is to prescribe security measures. One is to allow me to sue for a whole lot of money in statutory damages if my privacy is breached. This gives the company some incentive, but it means that a large breach (despite what may be good security measures) kills the company. The last way is to have criminal penalties for data breaches, and that has the same result.

    The prescribed security measures are actually the safest way for a given business. They require some expense, but they're also a form of insurance.

    As far as the company's vital data goes, well, protecting their data is up to them. They have the resources, authority, and incentive. They have resources and authority to protect my data, and I have the incentive.

    • by vlm (69642)

      but releasing them wouldn't really matter to the companies that keep them

      Carrot or stick? Stick seems a miserable failure. Lets try carrot.

      Allow them to sell your records for a minimum high fixed cost. You know they trade them for free right now. High enough that the market is pretty thin indeed. Lets say $100K and you are required to get a cash kickback of $X per sale. If your info is publicized, their balance sheet is ruined since no one would buy from them and you can sue them for your kickback. They'll just discount the cost off their balance sheet onto some kind of N

  • by prgrmr (568806) on Monday April 05, 2010 @05:02PM (#31740864) Journal
    The HIPAA regs have a lot of criteria for data protection, but practically nothing about how to implement or measure a given implementation for that criteria. I worked at a hospital where the CIO honestly thought that having a backup tapes and spreadsheet of prioritized servers to bring back up in the event of a disaster was a sufficient D.R. plan to cover what HIPAA required. So how did the study measure compliance?

    The ansewr is that they didn't. Nor did they measure effectiveness of compliance-based processes and procedures, nor did they take into account the benefit of being in compliance. There's a chart in the .PDF that contrasts "custodial data" with "secrets". One of the criteria is Consequences. For "Secrets", the consequence is revenue loss, which is not necessarily automatic; however, they don't list revenue loss for "custodial data", even though there will be some, even if short-term, drop-off in business due to the incident.

    The study is presented from the bias that the two commissioning companies wanted, namely to drum-up a motive via this presumably expertly manufactured need for greater security for security's sake. And you can bet that both Microsoft and RSA are going to be using this study to drive more product sales, and doing so from the perspective that better overall security equal better compliance--whether it actually does, or not.
  • This isn't an either/or question. An organization should step back, do an inventory (*much* easier said than done), and weigh the consequences and likelihood of a range of Bad Things, in other words a risk assessment.

    A relatively unnoticed provision of PCI requires doing a risk assessment, and you'd better do a risk assessment for HIPAA as well.

    If you do a risk assessment right, then you'll be led to spending money in the places where it does the most good. If a regulation prompts you to do one, then it has

  • Accounting (Score:3, Insightful)

    by Herkum01 (592704) on Monday April 05, 2010 @05:11PM (#31741010)

    Compliance is about appeasing the corporate bureaucrat with something which they can measure. Why do you think they hate IT, they don't know how to measure anything. Better to make up a measurement and pretend it means something rather than spend time and effort in something you have no interest and really don't understand.

  • TFA argues that more money should be spent on security than compliance because security is worth more. This makes a big assumption that each $ spending is equally effective wherever it is spent: it may simply be more expensive to provide an acceptable level of assurance over compliance. Cost vs. benefit.

    Secondly, their concept of "valuable" seems to refer to their value as assets, but compliance is more about reducing the risk of potential liability. Compliance is required. Maybe it's with good reason, may

  • The idea behind those laws are not about protecting the company, it's about protecting the consumer and investor in that company. They are designed to give the same protection to the little investor, or individual customer the company doesn't care about as the big guy the company could have trouble with if they piss off. I know that these laws don't always work that way, but to say they don't help protect the company is like saying that life boats aren't worth anything because don't help people trapped in
  • Well of course (Score:2, Informative)

    by ZouPrime (460611)

    The reason why security programs are geared toward compliance is because that's what sells to stakeholders!

    A security manager in a typical organisation can rarely go see his boss to ask for massive investment in security without being laughed at. Security cost money, and without facing a real, quantifiable risk, his boss simply won't care. Obviously your mileage may vary depending of your boss cluelessness, your ability to efficiently sell fear, and your industry.

    Compliance, on the other hand, is scary. The

  • by pongo000 (97357) on Monday April 05, 2010 @07:21PM (#31742820)

    I have a merchant account for my performance shop. I'm required by my merchant account bank to submit to "certification" via PCI-DSS. Certification consists of logging into a site yearly and answering a series of questions, such as "Are customer receipts printed so that no more than the last 4 digits of the customer's CC number are printed, with no expiry dates or CVVs?" It's like the psych tests you take for a government job: You basically answer what you believe they want to hear.

    The cost for this "certification" process? $100 a pop. I have no choice...get "certified" or lose my account.

    • Re: (Score:3, Informative)

      by Ritchie70 (860516)

      You are a small merchant. You are making the mistake of believing that what you experience is what everyone experiences.

      Merchants are split into three groups, "A", "B", and "C" if I remember correctly.

      Class "C" merchants just have to do a questionnaire.

      Class "B" merchants have to do more, I'm not sure what exactly.

      Class "A" merchants have auditors in every year writing reports, and they always find something to ding you on.

      It's a nightmare.

Make sure your code does nothing gracefully.

Working...