Sunday, February 27, 2011

The true cost of non-compliance is ZERO*

There has been lots of talk about the cost of compliance, and lately about the cost of non-compliance.  Most of the talk conveniently ignores this fact:
The cost of non-compliance is ZERO*

*if nothing goes wrong.

If you don’t think that the people making decisions on budgets should and do consider this fact, you are probably both more frustrated and less effective than you need to be.

I hear you saying “but Jack, things always go wrong”.  That is both true, and not true.  In the security world we mostly deal with things which have gone wrong, and that’s what we see.  The stuff humming along nicely (or at least not horribly) is usually under our radar.

The things most likely to go wrong are:

  • Getting caught
    • This likelihood ranges from “probable” for many under PCI to “indistinguishable from zero” for many others laws and/or regulations.
      • Note: you need to have former Assistant DAs explain lack of funding for regulatory enforcement to you when you try to convince them to secure their law practices to really enjoy this topic. Or so I’ve heard.
  • Suffering a breach
    • This still leaves open the question of whether being complaint would have prevented the breach
      • “Compliant” does not guarantee “secure”.
    • More importantly, this does not address whether compliance would have provided the most effective preventative (both from cost and logistic perspectives).