The cost of non-compliance is ZERO*
*if nothing goes wrong.
If you don’t think that the people making decisions on budgets should and do consider this fact, you are probably both more frustrated and less effective than you need to be.
I hear you saying “but Jack, things always go wrong”. That is both true, and not true. In the security world we mostly deal with things which have gone wrong, and that’s what we see. The stuff humming along nicely (or at least not horribly) is usually under our radar.
The things most likely to go wrong are:
- Getting caught
- This likelihood ranges from “probable” for many under PCI to “indistinguishable from zero” for many others laws and/or regulations.
- Note: you need to have former Assistant DAs explain lack of funding for regulatory enforcement to you when you try to convince them to secure their law practices to really enjoy this topic. Or so I’ve heard.
- Suffering a breach
- This still leaves open the question of whether being complaint would have prevented the breach
- “Compliant” does not guarantee “secure”.
- More importantly, this does not address whether compliance would have provided the most effective preventative (both from cost and logistic perspectives).
4 comments:
Great article Jack. I think the most apt analogy may be driving without insurance.
While driving without insurance certainly saves money, you could be pulled over (compliance) or get into a wreck (breach).
If the likelihood of being pulled over is low enough, or the fine cost less than the insurance (think ALE calculations), then folks may not worry about being pulled over.
Some people don't believe they are going to get into an accident. Either they feel that they are above-average drivers (secure), they have not been in a wreck before, or they feel it won't happen to them.
As you mention on the compliance side there is a lack of enforcement, and on the breach side we have a lack of data.
While there are a few uninsured motorists out there, most people do what's right, either because they are risk adverse, or simply because it's the right thing to do.
For some companies profit motive outweighs the last point, which is a shame.
- Christopher
Great analogy Christopher. If we're brave enough we can extend that to include "mandatory insurance" as required in some states as "enforcement". If only we had that kind of incident data that traffic safety professionals have on their field.
Fully agree. This is one of those Security Truths we need to accept right alongside, "You Will Suffer a Breach Someday." I think we get distracted at times with our ALEs and breach risk==1...but that 1 could happen in 20 years! Not the fiscal measure we like to think inside.
Also, don't underestimate the tendency to stifle breaches, either under layers of middle managers scared for their jobs or management who don't fess up into something hits the public. As unsavory as that is...
Thank you for the perspective Jack. Most of us in the "trenches" by day feel pain because of the high importance put on compliance.
In corp america sometimes compliance>people
Post a Comment