Slashdot Mirror
Compliance Is Wasted Money, Study Finds
Trailrunner7 writes "Enterprises are spending huge amounts of money on compliance programs related to PCI-DSS, HIPAA and other regulations, but those funds may be misdirected in light of the priorities of most information security programs, a new study has found. A paper by Forrester Research, commissioned by Microsoft and RSA, the security division of EMC, found that even though corporate intellectual property comprises 62 percent of a given company's data assets, most of the focus of their security programs is on compliance with various regulations. The study found that enterprise security managers know what their companies' true data assets are, but find that their security programs are driven mainly by compliance, rather than protection (PDF)."
Screw up with your customers data, and the worst that happens is you get a PR black eye, or you lose money. Don't follow regulations and unless you've got a Congressman in your pocket, you can go to jail.
The purpose of the 'process' is to serve the 'objective'. When serving the process becomes the objective, you're boned.
...considering we are a pharmaceutical call center, we pretty much have to invest heavily in HIPAA security.
Living With a Nerd
If you aren't compliant, you won't be able to sell certain services or take on certain customers. Being compliant is certainly not a waste from a business standpoint.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
I suspect they are being driven by the regulations they are forced to comply with. They can't decide to play by their own rules.
If there were no regulations and standards, then all the money would be funneled into actual security protocols?
Doesn't seem like that would be the case, especially since they are now just "going through the motions" to ensure compliance with regulations. The companies may well ignore data security altogether. By complying with regulations there is at least some level of security.
It's like the teachers' complaint that standardized tests force them to "teach to the test", well at least they're teaching something rather than nothing, which was the point of the test in the first place.
If a company's IP is insecure, it may, possibly, lose some money. If data which falls under regulation is insecure, people go to prison. This is exactly as it should be, and so the "imbalance" is entirely appropriate.
I suppose the folks at Forrester Research think that IP protection is more important than protecting, say, personal medical information. Fortunately, most people in the world are sane enough to disagree.
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
Having been deeply involved in HIPAA privacy protection for a large, monocolor insurance company in the state that hosts the NCAA men's basketball team with the greatest momentum I can state that the company's customers would likely not consider the investment a waste. I think this looks like Microsoft and RSA have asked Forrester for some product and service marketing help. Not that corporate IP is not important, for many companies the expenditure does not mean much of a financial payback.
Regulations are in place to force companies to protect data that they would otherwise have very little incentive to protect. Protecting data that is important to the company itself comes naturally and does not require mandates.
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
their security programs are driven mainly by compliance, rather than protection (PDF).
Sadly, this seems to be the way of the world. Even the things you would expect to be high-security, like classified information, tends to get this sort of treatment. I like to call it "Checklist Security" because most of the people doing security work are more interested in checking off steps an official procedure to CYA themselves than to make sure that whatever they are trying to protect is actually secured.
The TSA is another classic example - no containers of liquid greater than 100ml on the plane because that's on the checklist, but indiscriminate dumping of hundreds of them into one big trash bucket next to 30+ people in line at the checkpoint is fine because that's not on the checklist.
When information is power, privacy is freedom.
For corporate officers, it's essential.
The problem arises when scare resources, and inadequate competence, mean that 'are we secure?' becomes 'are we complying?'
Hence the tenancy to run towards out of the box 'solutions' that are often far from 100% secure.
We, (IT guys) have our share of responsibility; it's very difficult, (but not impossible), to get senior management to take this point seriously.
Tip: I normally wait for a 'AMG Google hacked by the Chinese' news item before pouncing...
Look up critical infrastructure protection for a good example of a waste of time and money. Nebulous requirements that are audited to subjective standards by an agency that is funded by the fines they generate. What could possibly be wrong with that? When you see your electric bill rising this would be at least part of the reason why. It started out with good enough intentions: hold utilities accountable for the security of the systems used to provide critical services. However in practice it's more about generating fines than it is about ensuring security.
My school, working with VW, built a new building for automotive projects. It has handicapped parking spaces, handicapped showers and bathroom stalls, male and female restrooms, and multiple chemical showers. There are few handicapped people in the school, fewer in engineering, and none on any of the automotive teams - for obvious reasons. There are also very few females, to the point that unisex bathrooms (like those used in more gender-normal parts of campus) would have been a fine option.
There's also wasted space for clearance around electrical panels (which are everywhere), inspection points, etc. All told, some 30% of the square footage of the new building is wasted by complying with regulations. And the government charged us $130/sq ft just for the permit.
And we wonder why China is whipping our ass...
What TFA refers to as "custodial data" (customer PII, CC numbers, etc.) *should* be protected by compliance with government and industry-specific regulation. If a company wants to shoot itself in the foot by not protecting intellectual property, trade secrets, sales leads, etc. then let them. CxO's far more likely to be paranoid about security of their precious secrets than with their customer's data anyway, since one is an asset while the other is a burden (security-wise).
Maybe security compliance might be a waste of money (eg, security through obscurity), but lets not forget that if your website isn't accessible to the disabled that you can be sued for it. I'm not sure if there are any state or federal mandated security requirements, but I imagine consumers can sue you after a break-in when you're not security compliant.
Learned this at LLNL. The computer security people there don't care about real security, they care about compliance. Else, they wouldn't have non-technical people such as ex-secretaries auditing and approving compliance with internal and US gov't regulations. "What is this dhcp thingy you are talking about?" "What is a domain?" "You're using logic; this is computer security."
Seems to be a typical management mentality - _appearing_ compliant, while not achieving the goals that the compliance is supposed to achieve.
Enterprises devote 80% of their security budgets to two priorities: compliance and securing sensitive corporate information, with the same percentage (about 40%) devoted to each.
So, the same amount of money is being spent between compliance and securing IP.
The paper suggests that companies should put more emphasis on the securing IP (trade secrets, etc.) and less on compliance. (Even after taking into consideration the penalties and punishments of a compliance failure)
It should also be pointed out that by compliance they mean all efforts to secure other people's information. So not just federal requirements, but also contractual obligations, and private lawsuits and PR problems that such security failures would entail.
from the paper:
We identified two kinds of information that have clear and tangible value.
Proprietary company secrets generate revenue, increase profits, and maintain competitive advantage. In addition,
custodial data such as customer, medical, and payment card information has value because regulation or contracts
make it toxic when spilled and costly to clean up. We explain each below.
It breaks my pluginses, my precious!
In many cases, the process of being "compliant" consists of replacing one set of vulnerabilities with another. Or writing up a ton of documentation that explains a set of policies and procedures -- knowing full well that there are gaping holes in operational practices and easy circumvention methods for anyone who wants a unilateral exemption.
I know of one organization that had a boatload of corporate governance, security and compliance audits, extensive corrective action reports for each "finding", etc. And yet, along comes an outsourced programmer who leaves a privileged database password embedded in a file that was exposed to the internet via the company's website. They were offline for a few days, assessing just how thoroughly their systems were compromised the hackers attacked.
This particular organization had a huge number of IT "management" staff, but most of them were converted from finance and had weak IT skills. Their emphasis on compliance came at the expense of operational competence. E-mail, database, or file servers might take a day off every now and then for the crisis du jour, but by golly they had corporate governance!
In figure 1 of the report one can read that consequences of custodial data leak would be cleanup and notification costs.
However here's an exerpt from a randomly picked PCI-DSS FAQ (http://pci.evolve-online.com/pci-faqs.asp)
"
What are the penalties for non-compliance?
In the event of a security breach, penalties for non-compliance are imposed. We understand currently these to be in the order of:
* Fines at the rate of 5 euros per compromised account
* A breach fee in excess of 100,000 euros per incident
* Possible restrictions on the merchant
* Permanent prohibition of the merchant's participation in Visa and MasterCard programs
* Beyond compliance, business risks relative to brand, customer loyalty and company valuation exist if the cardholder data is not securely managed
"
Disclamer: I do PCI-DSS audits
The point of these regs is that the corporation and its clients have diverging interests. It's in my interest that my medical records not be publicly distributed (well, it certainly could be), but releasing them wouldn't really matter to the companies that keep them. Since I don't have much of a choice of companies, and can't audit these companies, market forces are inadequate to protect my interests.
Therefore, the government steps in. There are three ways the government could do this. One is to prescribe security measures. One is to allow me to sue for a whole lot of money in statutory damages if my privacy is breached. This gives the company some incentive, but it means that a large breach (despite what may be good security measures) kills the company. The last way is to have criminal penalties for data breaches, and that has the same result.
The prescribed security measures are actually the safest way for a given business. They require some expense, but they're also a form of insurance.
As far as the company's vital data goes, well, protecting their data is up to them. They have the resources, authority, and incentive. They have resources and authority to protect my data, and I have the incentive.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
When serving the process becomes the objective, you're... ... just following "Best Practices," right?
It's really not that some things that end up in the conceptual bin labeled "Best Practices" are bad ideas. But there are two classes of people who are following/implementing them: those who understand the principles that gave rise to the rules, and those who don't. Becoming part of the former group generally takes a significant up-front investment. Becoming part of the later group doesn't. Meanwhile, the benefits of wielding recommended practices and rules/regulations are more or less the same for both groups; the extra benefits of really understanding the principles are marginal (except for the occasional entrepreneurs who might be genuinely trying to compete with established players on efficiency). Particularly if your relationship with the company you work for falls between careerist and sociopathic, you have no real incentives to understand principles behind any distilled rule. Wrote recommendation and compliance is enough.
If you want regulation that works, rather than specifying some cargo-cult set of instructions for "compliance," you have to figure out what your real goal is, reward its genuine achievement, and make it really hurt (if at all possible) when there's a failure.
Tweet, tweet.
I work in Healthcare IT.
HIPAA just freaks people out. It is in most respects far less stringent than state law, yet, the word strikes fear into the hearts of management. It's such a frustrating "buzzword" to hear from a sales rep that I have to focus not to discount anything they say after the words: "HIPAA compliant." It's like telling someone they won't get a virus if they have Norton installed. HIPAA basically says you have to take reasonable measures. A password protected account is a reasonable measure by their definition. Sure, it's better than nothing, but never as strong as many other good habits we have around security. Compliance w/ a static law does nothing to maintain security in the future, let alone today, and anyone in the IT field surely knows that true "security" is a balance between functionality, ongoing education, and administration such that business needs are met, privacy is expected, policies are strict enough to block most crap and leinient enough to allow work to get done. Unfortunately, I concur that far more emphasis is placed on "meeting" regulatory compliance, and not EXCEEDING compliance.
I'm posting Anonymously because my location, name, and career, combine to form a unique ID that would easily identify me since I'm in a small town.
The HIPAA regs have a lot of criteria for data protection, but practically nothing about how to implement or measure a given implementation for that criteria. I worked at a hospital where the CIO honestly thought that having a backup tapes and spreadsheet of prioritized servers to bring back up in the event of a disaster was a sufficient D.R. plan to cover what HIPAA required. So how did the study measure compliance?
.PDF that contrasts "custodial data" with "secrets". One of the criteria is Consequences. For "Secrets", the consequence is revenue loss, which is not necessarily automatic; however, they don't list revenue loss for "custodial data", even though there will be some, even if short-term, drop-off in business due to the incident.
The ansewr is that they didn't. Nor did they measure effectiveness of compliance-based processes and procedures, nor did they take into account the benefit of being in compliance. There's a chart in the
The study is presented from the bias that the two commissioning companies wanted, namely to drum-up a motive via this presumably expertly manufactured need for greater security for security's sake. And you can bet that both Microsoft and RSA are going to be using this study to drive more product sales, and doing so from the perspective that better overall security equal better compliance--whether it actually does, or not.
This isn't an either/or question. An organization should step back, do an inventory (*much* easier said than done), and weigh the consequences and likelihood of a range of Bad Things, in other words a risk assessment.
A relatively unnoticed provision of PCI requires doing a risk assessment, and you'd better do a risk assessment for HIPAA as well.
If you do a risk assessment right, then you'll be led to spending money in the places where it does the most good. If a regulation prompts you to do one, then it has served security in general.
Compliance is about appeasing the corporate bureaucrat with something which they can measure. Why do you think they hate IT, they don't know how to measure anything. Better to make up a measurement and pretend it means something rather than spend time and effort in something you have no interest and really don't understand.
TFA argues that more money should be spent on security than compliance because security is worth more. This makes a big assumption that each $ spending is equally effective wherever it is spent: it may simply be more expensive to provide an acceptable level of assurance over compliance. Cost vs. benefit.
Secondly, their concept of "valuable" seems to refer to their value as assets, but compliance is more about reducing the risk of potential liability. Compliance is required. Maybe it's with good reason, maybe it's red tape, either way doing it probably appears to add no value but the consequences of not doing it may be ultimate. If a plausable consequence of non-compliance is the total failure of the company, say through legal action or customers deserting, it is therefore not possible for anything to be more valuable to the company than compliance.
Considering our current financial oh-noes, what has Sarbanes–Oxley achieved other than create an industry out of compliance? Worse - spawning dreaded Regulatory Compliance droids busting balls at every opportunity. Thankfully they have proved themselves redundant.
Of course we need some kind of rules, but more importantly, there needs to be a huge shake up of corporate governance.
The idea behind those laws are not about protecting the company, it's about protecting the consumer and investor in that company. They are designed to give the same protection to the little investor, or individual customer the company doesn't care about as the big guy the company could have trouble with if they piss off. I know that these laws don't always work that way, but to say they don't help protect the company is like saying that life boats aren't worth anything because don't help people trapped in the desert. It the boat doesn't help people at sea then it's worthless and we should do something about it. I don't care if Murder being a crime doesn't help against rape, I still want it to be a crime.
The reason why security programs are geared toward compliance is because that's what sells to stakeholders!
A security manager in a typical organisation can rarely go see his boss to ask for massive investment in security without being laughed at. Security cost money, and without facing a real, quantifiable risk, his boss simply won't care. Obviously your mileage may vary depending of your boss cluelessness, your ability to efficiently sell fear, and your industry.
Compliance, on the other hand, is scary. There are penalties directly associated with non-compliance, and you know someone will actually come here and check if your compliant or not. So the risk is very direct and very obvious. That's why it's a much easier sell.
Of course, standards and regulations are designed to enforce security to begin with. Not saying that they are always succeeding, but at least they try to. So in the end, being compliant to a security standard does helps your organisation's security. The issues arise when one try to game the compliance, by falsely reporting which assets are critical for example. But if you're ready to lie (or bend the truth) around compliance, I don't see why you wouldn't do the exact same thing for security if you were let alone with your own risks.
This suggests (or admits) that companies practice a calculus regarding safeguarding of sensitive data whose release might cause harm to others. Particularly with respect to HIPAA, the impications are odious. It's saying that your organization actively weighs the trade-off in profitability between doing the absolute best that can be done to safeguard sensitive information about individuals, versus taking the hit in fines or monetary liability if there is a serious breach. That's like stating with a straight face that the well-being of your customers or employees really doesn't count for a tinker's damn.
I was AC in a similar post and subsequently got modded down similarly.
The key part for me is your first sentance here. Where I work, we have the same issue. IT people who don't "Love" computers, who are more process & workflow people than true tech geeks. Process and workflow is important, VERY important, and I'm not saying those people shouldn't be where they are, but you need to have a mix of skills. Those tech people can do MORE than just comply w/ the law, but help a corp. exceed the standards set by organizations and laws such as HIPPA.
How much is your data worth? Back it up now.
I didn't get the chance to read the article, was just posting my thoughts based on the summary. It seems you get what I'm saying though, and I guess in a way, I'm advocating what they are saying because of my experiences in HC IT. You are correct that custodial data has value. It has far reaching value to the people who generated the data, but more in that it's a huge liabillity. The cost of carrying a liabillity is $0.00 until something happens, and it allways does. The cost of carrying liabillity insurance.(aka regulatory compliance in this context) is a little more, but somewhat measurable. The cost of decent security is the cost of compliance + the cost of additional resources as determined necessary by risk assesment, which is not imediately measurable, but not exactly unobtainable.
Helping me spend money in places where it adds little or no value...SWEET!!!
More importantly, don't follow PCI and say goodbye to accepting credit card payments.
but since this holds the companies accountable for a minimum of data security at least they will do something whereas they would normally do nothing.
Amen to that. And, to expound on the the though, a lot of federal regulations are there for a reason, usually because someone was doing the very thing is prohibited to the detriment of the public's best interest. Rules are often there because there are always a few self interested jerks.
HA! I just wasted some of your bandwidth with a frivolous sig!
Heparin: http://en.wikipedia.org/wiki/2008_Chinese_heparin_adulteration
Since this "over-sulphated" variant is not naturally occurring and mimics the properties of heparin, the counterfeit is almost certainly intentional as opposed to an accidental lapse in manufacturing.[8] The heparin was cut from anywhere from 2-60% with a counterfeit substance due to cost effectiveness, and a shortage of suitable pigs in China.
Drywall: http://news.yahoo.com/s/ap/20100402/ap_on_bi_ge/us_chinese_drywall
The drywall has been linked to corrosion of wiring, air conditioning units, computers, doorknobs and jewelry, along with possible health effects. Tenenbaum said some samples of the Chinese-made product emit 100 times as much hydrogen sulfide as drywall made elsewhere.
Pet Food: http://en.wikipedia.org/wiki/2007_pet_food_recalls
Sometime in mid-March, an "unnamed pet food company" reported to Cornell that they had discovered an industrial chemical utilized in plastics manufacture, melamine, in internal testing of wheat gluten samples. .....
The chemical was found in the suspected wheat gluten in raw concentrations as high as 6.6 percent.
Cooking Oil: http://rawstory.com/2010/03/chinese-consumed-millions-gallons-toxic-sewage-oil-study/
Chinese cooking oil siphoned from restaurants' waste tanks and stripped out of raw sewage is being resold on the cheap and has for years tainted approximately one out of every ten meals cooked in the eastern nation, according to a recent study.
Tooth Paste http://publicsafety.tufts.edu/ehs/?pid=27
In recent weeks, the U.S. Food and Drug Administration (FDA) has identified a number of instances of contaminated toothpastes that have been imported and sold in the United States. The toothpaste from China and counterfeit Colgate toothpaste may contain diethylene glycol (DEG), a chemical used in antifreeze.
Two are current: cooking oil and drywall.
Yes, the US will be a much better competitor if we just give up regulation, make a few people rich and poison everyone. Actually we already have, if you consider how unregulated Toxic Assets have ruined both the domestic and world economy....
Why is Snark Required?
I have a merchant account for my performance shop. I'm required by my merchant account bank to submit to "certification" via PCI-DSS. Certification consists of logging into a site yearly and answering a series of questions, such as "Are customer receipts printed so that no more than the last 4 digits of the customer's CC number are printed, with no expiry dates or CVVs?" It's like the psych tests you take for a government job: You basically answer what you believe they want to hear.
The cost for this "certification" process? $100 a pop. I have no choice...get "certified" or lose my account.
Compliance money ain't wasted if it keeps the government from socking the enterprise with stiff fines and the CEO in jail for non-compliance.
Display some adaptability.
This happens every time someone wants to continue "competing" by cutting corners.
When no one forces standards, companies "compete" by neglecting some areas, so in their race to the bottom they eventually reach the point when no one can provide any kind of safety. The whole structure of pricing, available services, training, etc. makes it unaffordable to do anything that improves the neglected area, so everyone trembles in fear that either the whole thing will crash down, or someone will out-neglect him and force the company out of the market.
Then government produces some regulation, and sends scary jackbooted thugs to enforce it. Rationally behaving companies would welcome those thugs no matter how scary and rude they are. They can't hurt you more than they hurt your competitors -- not unless you suck so much, you have to cut corners more than your competitors do just to maintain price parity with them. They WILL hurt your worst enemies -- competitors who drive cost down by increasing risks. Companies' management should be happy that now they and their competitors have to spend some minimal amount of money and effort on compliance, and compete on something productive.
That is, if management recognizes that excessive risk is a problem.
Contrary to the popular belief, there indeed is no God.
over a year ago, this post "Security by compliance is obviously not working. We need to stop thinking about information security and start thinking about information risk management. Compliance should be approached from a risk management, and not a purely technical, perspective. You need to do information security not to meet compliance but to protect the business. There is a huge difference between those two methodologies. We need to identify, govern and manage IT risk for security, and therein realize compliance." see it at http://www.linkedin.com/myprofile?trk=hb_tab_pro
cjacobs001
I don't know if my experience is typical, but the last time I worked with a compliance manager was a thoroughly painful experience.
The whole point of having a bunch of processes which organisations are supposed to comply with is that those processes prevent certain Bad Things from happening. In order for those processes to be effective, they either need to cover every conceivable scenario (no such process has ever been written), or they need to be followed with an understanding of what they're trying to achieve and to the spirit of the process rather than just the letter.
This particular compliance manager (and I have no idea if it's typical of people in that role, but I suspect it is) didn't really seem to grasp that - or if she did, she didn't care. As long as the process was followed to the letter, she was happy. Any suggestion for doing anything which may have been what the process was trying to achieve but wasn't officially sanctified as part of it would be shot down (more effort, the company wasn't obliged to do it). Frankly, she could have been replaced with an automated system fairly easily were it not for the fact that her job had to exist for legal reasons.
There are two different objectives here, with (at least) two different processes. The first of these objectives is securing corporate assets. The second is securing sensitive individual information about people with whom the corporation does business. Security processes should ideally serve both objectives, but if that's impossible, then one process (or set of processes) has to be given prioroty over the other.
You are quite right, as far as you go. In fact, there are at least four objectives being served here.
(Disclaimer, I work at a large international investement bank)
3. Kissing corporate executive ass
4. Kissing government regulatory ass
Most of compliance falls into the latter two categories, and is about perception and ticking of boxes in corporate compliance forms far more than protecting assets. In fact, more often than not, the compliance requirements result in technical and bureaucratic logjams that are so onerous that the employees of the company are forced to route around them in order to do their jobs, resulting in far less security than would be in place of the compliance requirements were more sensible (and common sense) and less attorney driven. In either event, neither corporate nor customer security is enhanced...merely the bottom line of government bureaucrats, third party vendors, an entire division of the company whose sole purpose is to prostrate themselves before the ass of said parties, and the most important bottom line of all: ticking off a few annual objectives of some of the higher-up executives so they can "show their impact" and pad their bonus.
Day-to-day operating procedures are routinely decimated by this, but that only affects the bonuses and bottom line of the lower ranks and the day-to-day security of the firm...hardly a concern (after all, if something does happen, there's always someone (far) beneath said executives to fire).
The Future of Human Evolution: Autonomy
Defence in Depth. An absolute requirement to have real defence. Trust relationships are a relationship where the failure of the other party is as if YOU failed.
So, definitely YES, multiple layers of firewall are worthy.
Compliance does NOT equal Security
The analysis reported on in the article says that business data (trade secrets, etc.) is more valuable than the contents of the database, and this may be true from the business's perspective. However, the laws exist to protect *my* interest in the data that someone keeps about me. It is just because that data is important to me, but not the company, that laws like HIPAA exist.