Slashdot Mirror

← Back to Stories (view on slashdot.org)

Compliance Is Wasted Money, Study Finds

Posted by Soulskill on from the missing-the-point dept.

Trailrunner7 writes "Enterprises are spending huge amounts of money on compliance programs related to PCI-DSS, HIPAA and other regulations, but those funds may be misdirected in light of the priorities of most information security programs, a new study has found. A paper by Forrester Research, commissioned by Microsoft and RSA, the security division of EMC, found that even though corporate intellectual property comprises 62 percent of a given company's data assets, most of the focus of their security programs is on compliance with various regulations. The study found that enterprise security managers know what their companies' true data assets are, but find that their security programs are driven mainly by compliance, rather than protection (PDF)."

1 of 196 comments (clear)

  1. Re:wasted? by Jer · · Score: 4, Informative

    The title of the Slashdot summary is unsurprisingly misleading and inflammatory. Reading TFA it doesn't suggest that money going into compliance is "wasted" - it suggests that companies aren't spending enough money to protect their own IP from corporate thieves.

    IOW - the article suggests that companies are spending the same amount of money to protect so-called "custodial" data (i.e. information they've collected about their employees and customers that are protected by HIPAA and other statutes) and their own IP. But the financial losses from losing their own IP are substantially higher than the losses they'll incur through leakage of "custodial" data, so they actually should be spending more money protecting custodial data than they spend on protecting custodial data.

    The underlying assumption in the article is that, unless you've implemented your compliance stupidly, you actually can't fix this disparity by spending less money. You can't cut your budget on compliance because it's required by statute. So instead you should be spending more money on protecting IP assets so that the ratios more realistically reflect the importance of the data being protected. Money that Microsoft and RSA, the funders of the study, are happy to take to help you implement solutions to protect your oh-so-valuable IP assets.