Posted by: David Schneier
Audit, compliance, cyber security, FFIEC, GLBA, PCI, regulations, Regulatory Compliance, Security, SOX
Despite earning a living in the space, I often question the value of regulatory compliance.
How is it that a business can be PCI-compliant but still have glaring vulnerabilities? How is it that despite layer upon layer of controls it’s still entirely possible for an executive to fudge numbers in a spreadsheet and alter a company’s financial reports? How is it possible that a financial institution undergoes an annual exam and, despite not adhering to the most basic tenants of FFIEC guidance, still receives a favorable report? And how is it that there’s a regulation that made an entire industry jump all at once but has never actually been enforced (can I see a show of HIPAA hands)?
And don’t think these statements are pure hyperbole; these all come directly from the field and from engagements I’ve been on in the last few years.
Why, you may ask, am I feeling a bit down on the regs this week? A couple of three reasons:
It started on Monday when I was catching up on my industry reading. There was an article about data leak prevention (DLP) software and how sales have been heating up lately. Of the reasons given by survey respondents as to why they were considering purchasing a DLP solution, the top two were pretty much pointing the finger at either industry or regulatory demands. The third reason was to avoid damage to the company brand/reputation, the fourth was to avoid lawsuits and finally, all the way down at number five on the list of reasons: to prevent the theft of proprietary information. That’s just Depressing (note the capital “D”). I thought it was embarrassing that the vast majority of survey respondents were looking to prevent data theft not because it was the right thing to do or to protect customers’ or employees’ sensitive data but rather because they’re being made to do so. And so maybe you can make the case that regardless of the reason, at least companies are being forced to do something about protecting their information. Sadly, that’s exactly my problem. When it comes to doing things for the sake of compliance most companies only take things as far as they need to in order to achieve/maintain compliance. The people on the front lines sort of lack enthusiasm for doing these things and figure their job ends once the auditors and examiners are happy.
My week of regulatory woe continued on Tuesday when while reviewing key activities aligned against one of the aforementioned frameworks, I identified what was a potentially significant gap not in how the client was conducting their work, but rather in what the regulation specifically required. In other words, despite my client being completely compliant with this stringent, well respected framework, there was still the very real possibility that a vulnerability could exist. I dug a bit deeper, made some phone calls to associates whom I often consider to be way smarter than I and the result was that I was right, the gap existed. One of my associates pointed out that in a well-run shop with a hardened infrastructure you would expect the situation I identified to be managed properly, but the reality is that unless they have to, few managers have the ability to go beyond what’s required (either by the business or regulations). I suppose if ever a day comes to exist when an IT department has finally cleared out their project queue and has money left in the budget they may very well get around to it, but I’m not volunteering to hold my breath.
And finally, my week is closing with news that a former client of mine is on its financial ropes and very likely about to declare bankruptcy. Really, in the end it’s just a sign of the times and the sad state of our economy. They appeared to be making the necessary adjustments over the past few years by trimming back staff and scaling back on non-critical projects, but they’re a half-inch to the left of the epicenter of this whole financial mess and in the end I guess there was no way to avoid the inevitable. But still, I think of all the money they’ve spent on compliance-based initiatives since SOX first hit the scene and I can’t help but wonder if all of that spend could’ve been put to better use. In the end, despite all of the great work that was done they still weren’t going to be able to prevent someone from massaging the numbers in a spreadsheet (a personal pet peeve of mine) Thinking about the number of people they’d brought in to size up and conduct the work to bring their controls up to the necessary levels and the fees they’ve paid to their external auditors to conduct the SOX audits is just plain depressing. Maybe if they’d used that money to fund a project to offer a new product line or enhance an existing one, they’d have found additional streams of revenue that could’ve helped them through this mess.
I suppose it comes down to this: anything worth doing is worth doing right. But in the regulatory space that’s not the general rule and I’m thinking that until the oversight bodies figure out a way to provide the proper incentives, the work will always be lacking if not deficient. Until being compliant also means being secure the job isn’t truly getting done.
Along those lines check back next week; I have an idea I’d like to share with you about how to make things better for all of us in the regulatory domain and turn things around.