Nobody “likes” government regulations. But imagine what it would be like to live without them. What if there were no banking regulations – who would check to see if my money was safe? The bank?
I’ve worked in banks. The answer would be “no.” Not without oversight. Banks have internal auditors, but a fresh eye can often see something significant. The external regulators come in and check things periodically.
Nobody likes being audited. Auditors look for what’s wrong, and report on that, rather than what’s right. But I can count on my fingers the number of organizations I’ve audited who are working hard and and have buy-in from the to exceed the “Gentleman’s C” of simply being compliant.
Far more organizations seem to be simply covering their tracks or ignoring the issue of protecting the data they’ve acquired due to “costs of implementation.”
Since we seem, as a country, unable to pass a national law addressing protection of data that has teeth, individual states are now passing them.
The resulting publicity from frequent data breaches has both good and bad elements: on the one hand it highlights bad company practices; on the other hand, drowning in data breach reports builds in a certain level of public “overkill.”
The far better strategy, in terms of cost and performance, is to acquire best practices and implement them. It’s been proven over and over, but it seems that asking companies to police themselves isn’t working. At all.
Is that good? Not sure, but “It beats snowballs in summer,” as my father-in-law likes to say. Use free tools, make nice with your auditors, use their input to get it out in front of management, don’t resort to FUD (that’s the job the vendors do).