Slashdot Mirror
Compliance Is Wasted Money, Study Finds
Trailrunner7 writes "Enterprises are spending huge amounts of money on compliance programs related to PCI-DSS, HIPAA and other regulations, but those funds may be misdirected in light of the priorities of most information security programs, a new study has found. A paper by Forrester Research, commissioned by Microsoft and RSA, the security division of EMC, found that even though corporate intellectual property comprises 62 percent of a given company's data assets, most of the focus of their security programs is on compliance with various regulations. The study found that enterprise security managers know what their companies' true data assets are, but find that their security programs are driven mainly by compliance, rather than protection (PDF)."
FWIW - PCI-DSS is a requirement of Visa, Mastercard, et al. Not the feds.
It is an acronym for "Payment Card Industry Data Security Standard."
When information is power, privacy is freedom.
The title of the Slashdot summary is unsurprisingly misleading and inflammatory. Reading TFA it doesn't suggest that money going into compliance is "wasted" - it suggests that companies aren't spending enough money to protect their own IP from corporate thieves.
IOW - the article suggests that companies are spending the same amount of money to protect so-called "custodial" data (i.e. information they've collected about their employees and customers that are protected by HIPAA and other statutes) and their own IP. But the financial losses from losing their own IP are substantially higher than the losses they'll incur through leakage of "custodial" data, so they actually should be spending more money protecting custodial data than they spend on protecting custodial data.
The underlying assumption in the article is that, unless you've implemented your compliance stupidly, you actually can't fix this disparity by spending less money. You can't cut your budget on compliance because it's required by statute. So instead you should be spending more money on protecting IP assets so that the ratios more realistically reflect the importance of the data being protected. Money that Microsoft and RSA, the funders of the study, are happy to take to help you implement solutions to protect your oh-so-valuable IP assets.
The main problem with most compliance protocols (HIPAA or PCI) is that at best they do nothing at all, at worst it's actually counterproductive as it opens the company up to more breaches (due to human nature, laziness or conflicting policies).
I am involved in both HIPAA and PCI compliance and in the past I have been involved with Sarbanes-Oxley as well. For example with PCI as well as Federal wiretapping compliance, you need to have your respectively wireless and public networks (if you're a de-facto wireless internet provider to random strangers - eg. libraries, universities, ...) run through a separate (3rd party) provider and needs to be either logically or physically divided from the main network. Therefore, anyone on your public or wireless network will have to tunnel a VPN through a 3rd party provider, route it out to the internet and back into your primary provider to get work done which makes the whole system inherently less secure because your data goes outside your network.
PCI requires a firewall before your internet facing servers but also a perimeter firewall (if you have a really large institution) before all your edges even though you may have separate departmental firewalls. This does not make sense as you get to have 2 or 3 layers of firewalls - the first 2 layers being the ones that were historically built-up and the 3rd layer, a concentrated firewall and internet provider hub which becomes 1) easier to attack because it's all in one point, 2) easier to fail for the same reason, 3) more difficult to maintain because you still need the hierarchy of departmental firewalls to prevent attacks from other departments or other points in the network.
Custom electronics and digital signage for your business: www.evcircuits.com
I work in Healthcare IT.
HIPAA just freaks people out. It is in most respects far less stringent than state law, yet, the word strikes fear into the hearts of management. It's such a frustrating "buzzword" to hear from a sales rep that I have to focus not to discount anything they say after the words: "HIPAA compliant." It's like telling someone they won't get a virus if they have Norton installed. HIPAA basically says you have to take reasonable measures. A password protected account is a reasonable measure by their definition. Sure, it's better than nothing, but never as strong as many other good habits we have around security. Compliance w/ a static law does nothing to maintain security in the future, let alone today, and anyone in the IT field surely knows that true "security" is a balance between functionality, ongoing education, and administration such that business needs are met, privacy is expected, policies are strict enough to block most crap and leinient enough to allow work to get done. Unfortunately, I concur that far more emphasis is placed on "meeting" regulatory compliance, and not EXCEEDING compliance.
I'm posting Anonymously because my location, name, and career, combine to form a unique ID that would easily identify me since I'm in a small town.
The reason why security programs are geared toward compliance is because that's what sells to stakeholders!
A security manager in a typical organisation can rarely go see his boss to ask for massive investment in security without being laughed at. Security cost money, and without facing a real, quantifiable risk, his boss simply won't care. Obviously your mileage may vary depending of your boss cluelessness, your ability to efficiently sell fear, and your industry.
Compliance, on the other hand, is scary. There are penalties directly associated with non-compliance, and you know someone will actually come here and check if your compliant or not. So the risk is very direct and very obvious. That's why it's a much easier sell.
Of course, standards and regulations are designed to enforce security to begin with. Not saying that they are always succeeding, but at least they try to. So in the end, being compliant to a security standard does helps your organisation's security. The issues arise when one try to game the compliance, by falsely reporting which assets are critical for example. But if you're ready to lie (or bend the truth) around compliance, I don't see why you wouldn't do the exact same thing for security if you were let alone with your own risks.
You are a small merchant. You are making the mistake of believing that what you experience is what everyone experiences.
Merchants are split into three groups, "A", "B", and "C" if I remember correctly.
Class "C" merchants just have to do a questionnaire.
Class "B" merchants have to do more, I'm not sure what exactly.
Class "A" merchants have auditors in every year writing reports, and they always find something to ding you on.
It's a nightmare.
The preferred solution is to not have a problem.
I know for a fact that some insurers and claims processors have stopped using encrypted archives and moved to faxes for "secure" documents, because faxes only fall under the privacy rule, not the security rule, and their archive vendor would not indemnify them against security rule violations.
I seriously doubt this is the only example of "following the specific rules decreases system security" related HIPAA or any other rule-based security policy/regulation. It's pretty much a given that any new rule you enact will result in people changing their behavior to avoid the scope of the rule rather than simply complying with the rule; it happens even with 8-year-olds who want to stay up late, let alone managers who spend all day looking for a way to gain $0.02/unit over the competition.
--
And let's not even get into the harm caused by selling people "secure" systems that are not. For example, most "secure" email solutions neither guarantee encryption of outbound mail nor provide authentication of the intended recipient. But since they comply with the specific requirements of the relevant regulation we buy them anyway. Then users feel safe in sending sensitive information over the new "secure" system -- information that they may never have sent if we didn't tell them it was secure -- thereby increasing the risk profile while at the same time wasting money on non-secure "security" systems, all in the name of regulatory compliance.
If that isn't an instance of the Broken Window Fallacy I don't know what is.