Compliance has become a threat to business, or at least that’s how I see it. It’s complex, it’s overlapping, it creates a false sense of security and it’s downright expensive – especially when it’s not done correctly. Compliance is one of those things that you can hardly do business with and certainly can’t do business without.
But compliance still exists and it cannot be ignored.
The major problem with compliance is that so many people view it as a substitute for reasonable information security and proper risk management. I was just looking at the Chronology of Data Breaches and shaking my head. Over 510 million compromised records and counting. Many of the breaches on this list are unbelievable and likely inexcusable. Sadly, I’m sure somewhere along the way someone – an auditor or manager – deemed these computers/networks/operations “compliant” with whatever regulation.
Just what is it going to take to keep our personal information personal? Not to mention “confidential” and “internal use only” business information confidential and internal use only.
The key is to never ever rely on compliance alone like I wrote about in this CSO Magazine piece. It’s just too risky. It may please some auditors or regulators in the short term, but it’s not a sustainable strategy. Period.
Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.