Thursday, August 16, 2007

Yet another reason to take security seriously

One of the more compelling, yet less obvious, reasons for taking security seriously is to prevent it being forced down our throats, complete with flawed requirements. GLBA, HIPAA and Sarbanes-Oxley are examples of what happens when our lawmakers feel there is a problem and they try to legislate an answer. Don't get me wrong, these laws were designed to address real problems- but their execution is far from perfect.

Let's pick on Enron for an example: If there had been some accountability in the boardroom and at the accounting firm, maybe Enron would not have become, well, Enron. And, maybe Arthur Anderson would still exist, and maybe corporations throughout the US would not have to spend buckets of cash complying with this law. But, Enron was Enron, and Anderson did what they did (and didn't do), and SarbOx is the law- for better AND worse.

If we don't accept our responsibility to secure our systems we could end up with more legislation mandating how we run our businesses. Well-intentioned, but poorly crafted, regulations or personal responsibility- that should be an easy choice.