Compliance Is Wasted Money, Study Finds

Trailrunner7 writes "Enterprises are spending huge amounts of money on compliance programs related to PCI-DSS, HIPAA and other regulations, but those funds may be misdirected in light of the priorities of most information security programs, a new study has found. A paper by Forrester Research, commissioned by Microsoft and RSA, the security division of EMC, found that even though corporate intellectual property comprises 62 percent of a given company's data assets, most of the focus of their security programs is on compliance with various regulations. The study found that enterprise security managers know what their companies' true data assets are, but find that their security programs are driven mainly by compliance, rather than protection (PDF)."

Naturally...

[russotto]

Screw up with your customers data, and the worst that happens is you get a PR black eye, or you lose money. Don't follow regulations and unless you've got a Congressman in your pocket, you can go to jail.

Re:Naturally...

Posting anonymously for semi-obvious reasons....

I work for a Fortune 200 firm. We have branches in all 50 states (and many countries as well, but I'm in the US division.)

Every locality - city, state, whatever - has its own little set of laws. Some of the tax laws are very complex. Our software can't handle all of them.

So every one that comes up, one of the questions that go into the decision making is this: How big is the fine if we don't?

If the defined fine is less than it will cost to implement the change, sometimes we let it go and figure we'll pay the fine if we're caught.

On the other hand, it's absolutely true that compliance gets a higher emphasis and a higher visibility than actual security. We're redoing our credit card processing at the moment, and although the new implementation meets the PCI-DSS regulations better than the old one (in other words, it does) it also has a much larger potential for major data loss.

The old architecture was totally decentralized. You would have to compromise each of our locations to get their credit card data.

The new one is centralized. Compromise one server and you've got it all.

Process/Objective Inversion

[Citizen+of+Earth]

The purpose of the 'process' is to serve the 'objective'. When serving the process becomes the objective, you're boned.

Re:Process/Objective Inversion

[Daniel+Dvorkin]

There are two different objectives here, with (at least) two different processes. The first of these objectives is securing corporate assets. The second is securing sensitive individual information about people with whom the corporation does business. Security processes should ideally serve both objectives, but if that's impossible, then one process (or set of processes) has to be given prioroty over the other. As a customer of, say, Amex or Cigna, I care a whole hell of a lot more about the second objective than the first, so it doesn't displease me at all that the processes related to that objective are well-funded.

wasted?

[Lord+Ender]

If you aren't compliant, you won't be able to sell certain services or take on certain customers. Being compliant is certainly not a waste from a business standpoint.

Re:wasted?

[CrimsonAvenger]

If you aren't compliant, you won't be able to sell certain services or take on certain customers. Being compliant is certainly not a waste from a business standpoint.

Note that if the Feds required that all of your marketing department drive Rolls-Royces, then what you said would still be true.

It would even be true if the Feds required that any software guy had to wear a clown suit to work.

Neither of these things is at all relevant to your business, however. And the point of the article is that much of the (unnecessary) compliance requirements of various Federal laws are about as important as my two examples.

Re:wasted?

[Lunix+Nutcase]

So you think that the feds requiring people to protect your health records, for example, is a waste? Would you really rather go back to a time when the same companies didn't care? Sure these compliance laws are usually flawed in many ways, but since this holds the companies accountable for a minimum of data security at least they will do something whereas they would normally do nothing.

Re:wasted?

[Jah-Wren+Ryel]

Would you really rather go back to a time when the same companies didn't care?

I think I would because I would like to see the follow-on effects. I believe that most of HIPPA is smoke & mirrors, that violations are rampant and the requirements full of loopholes thus it gives a false sense of security to the public. I would rather the public be made acutely aware of the risks and that instead of just trusting that the law will protect the public, that we start relying on other mechanisms, like minimizing the data we give to health care companies and allow them to keep. It's a lot simpler to avoid disclosing data you don't have than it is to build up a wall of fallible procedures around the data instead.

Re:wasted?

[Gerzel]

Neither is having a good fire escape strictly relevant to manufacturing shirt-waists, but it is still necessary for a good reason.

You have to look at why the compliance regulations are there and not if the regulations themselves have anything to do with the business.

The process is part of the goal in order to make sure things get done and done correctly. While yes many can indeed do things correctly outside of the process and many more might be able to muddle through the process is a form of insurance paid in extra time and labor to make sure things get done right.

Re:wasted?

[peragrin]

And that is why your delusions is worse. without HIPPA companies weren't held responsible because it was always some other companies fault. Every company could plead it wasn't us because there was no way to track who was actually responsible.

There is a reason greed is a deadly sin among some religions. Let's try this another way. dec. of 2006 Circuit city BOD executives noticing a small drop in sales and in need of their bonus checks, fired their top 3000 sales earners. the top 3000 who the company paid the most in salary that weren't managers. But who also accounted for the majority of their sales. They paid themselves tens of millions of dollars in bonuses. By July 2007 Sales were a third of what they should be and by dec. 2007 most stores were closing up as the whole company was bankrupt.

That same kind of executive thinking is found in the majority of CEO's. read http://money.cnn.com/galleries/2010/news/1004/gallery.top_ceo_pay/index.html?source=cnn_bin&hpt=Sbin over half the people on this list have gotten major bonuses yet are still posting losses for the same year. Do you want that kind of thinking to have total but deniable control over your health? that is life without HIPPA.

Just remember the vast majority of laws are there because someone abused something to the detriment of many. The law may not be perfect but having it is better than the alternative.

Re:wasted?

[WalkingBear]

Federal requirements to protect health records, financial data, personal information, etc.. are great things. Federal requirements that say "unlawful disclosure of X information will result in Y penalties" is definitely a good thing. Federal requirements stating *HOW* every business within an industry or even across all industries perform a function are outdated at best, counter-productive at worst, before the ink's dry on the legislation.

Re:wasted?

[Rophuine]

The problem is that you're right. Compliance doesn't generally add value to the individual product or service. It adds value to the network or industry. Take PCI-DSS and the VISA and MasterCard networks.

Each individual bank/merchant wants to spend the minimum possible. As one of 30,000 odd banks on the network, or one of however many millions of merchants, they think their odds of being involved in a major breach is pretty small, and the risk of a lot of people losing a lot of money is that they change their name and set up shop down the road (in the case of a merchant), or shake their head, say they're sorry, and spend a million bucks on a brand name security solution (in the case of the banks). If you spend a little bit of money before anything happens, you raise the bar a bit, and reduce your risk a bit, but still, YOUR customers don't really see any benefit to those fee rises, so lots of places just try to sit below the radar of the hackers and the scammers and the other random crims.

Enter compliance: VISA and MasterCard say "hey, this sucks, nobody will spend money on security 'cause they think it won't happen to THEM. But EVERY SINGLE TIME IT HAPPENS, IT HAPPENS TO US. If each bank has one little problem once a year, we have THIRTY THOUSAND problems, and we're SICK OF IT." So they go to industry and say "you guys have to do this. And this. And this and this and this. And if you don't do it, we're gonna fine you a hundred grand. And if you don't pay the fine AND fix the problem, you're off our network, which pretty much means you're out of business."

And VISA and MasterCard create a whole new industry, and lots of jobs, and it turns out having a minimum level of security (or at least, a big stick to hit people with if they don't bother with a minimum level of security) is actually a financial plus across the system as a whole, even if it's bad for the some of the businesses. And consumer confidence is up, too, so we have more people spending more money, so even the banks and the merchants are happy in the end (by and large). And VISA and MasterCard say "HEY! This is cool, our profit margins are much better. Let's pay ourselves bigger bonuses."

Re:wasted?

[Rophuine]

So yes, I think it's a waste that the government forces corporations to spend a shit ton of money doing things that don't actually help me, instead of spending that money actually securing my data.

You're positing that if HIPAA was removed, industry would take all that wasted compliance money and spend it on security. I postulate that they'd instead take all that wasted compliance money and spend it on Ferraris.

So you're saying

[compucomp2]

If there were no regulations and standards, then all the money would be funneled into actual security protocols?

Doesn't seem like that would be the case, especially since they are now just "going through the motions" to ensure compliance with regulations. The companies may well ignore data security altogether. By complying with regulations there is at least some level of security.

It's like the teachers' complaint that standardized tests force them to "teach to the test", well at least they're teaching something rather than nothing, which was the point of the test in the first place.

Re:So you're saying

[Eskarel]

And the astute teacher would be right, but still a crappy teacher.

However, the only way to find teachers who aren't teaching before it's too late is to periodically check their performance which means testing the students to see what they know.

The good teacher might question whether the test was doing an adequate job of measuring their performance(is it actually checking if the students are being taught what they need to know as opposed to what is on the test), and they might complain about the burden the test put on them when they're doing their job correctly, but they'd understand what the test was for.

Compliance is an expensive exercise, be it through testing or audits or whatever other avenue it might arrive, but the only way to determine whether someone is doing what they say they are before it's too late to change things is to check every so often. The issue for discussion is whether the checks are checking the right things.

Wow, way to miss the point.

[Daniel+Dvorkin]

If a company's IP is insecure, it may, possibly, lose some money. If data which falls under regulation is insecure, people go to prison. This is exactly as it should be, and so the "imbalance" is entirely appropriate.

I suppose the folks at Forrester Research think that IP protection is more important than protecting, say, personal medical information. Fortunately, most people in the world are sane enough to disagree.

Re:Wow, way to miss the point.

[Attila+Dimedici]

If a company's IP is insecure, it may, possibly, lose some money. If data which falls under regulation is insecure, people go to prison. This is exactly as it should be, and so the "imbalance" is entirely appropriate.

I suppose the folks at Forrester Research think that IP protection is more important than protecting, say, personal medical information. Fortunately, most people in the world are sane enough to disagree.

An important correction: if data which falls under regulation is not kept according to the regulation people go to prison. If following the regulation decreases the security of the data, no problem.

Re:Wow, way to miss the point.

[Daniel+Dvorkin]

An important correction: if data which falls under regulation is not kept according to the regulation people go to prison. If following the regulation decreases the security of the data, no problem.

Fair enough, and if you can show that following HIPAA regulations makes personal medical data less secure, go for it. But the article doesn't address this point at all. They're talking solely about the relative value of corporate IP vs. data such as medical and credit information which is covered by regulation, and making the (absurd, to most people with a brain) argument that because the first is more valuable to the corporation than the second, corporations should spend their security dollars accordingly. In the absence of regulation, of course, this is exactly what would happen; the laws which specify harsh penalties for non-compliance are an entirely appropriate correction to this tendency.

Re:Wow, way to miss the point.

[Daniel+Dvorkin]

Who has gone to prison (in the US) for not securing data, pre the standards being discussed in the article?

Before the standards were in place? Nobody, of course. Which is why the standards were put in place!

If you think the standards are unrealistic, or don't achieve their objectives, or could be implemented better ... fine, those are all valid points. But TFA doesn't address that at all. The point of HIPAA, PCI-DSS et al. is to ensure that corporations which deal with sensitive personal data take appropriate care with that data. Apparently some people in the exceutive suite are whining that they have to spend too much money protecting other people's information, because even though having the data is absolutely necessary to running their business, protecting it takes too much time and money. Well, cry me a river.

Well That Makes Sense

[TheNinjaroach]

Regulations are in place to force companies to protect data that they would otherwise have very little incentive to protect. Protecting data that is important to the company itself comes naturally and does not require mandates.

Re:Well That Makes Sense

[bearsinthesea]

I think you have some misconceptions about PCI. "At best", I have seen PCI make companies improve firewall rules, secure WLANs, and encrypt your plaintext credit card numbers (for starters).

If someone has told you that PCI requires using a 3rd party provider for public networks, you should get a second opinion. I have never seen that required or implemented.

Similarly, your firewall problem seems specific to your implementation. PCI requires firewalls between public networks and the cardholder data environment. Internal firewalls are not required, but are usually used to limit the scope of PCI. You don't want to make your CEO or secretary's computer PCI compliant, so you use firewalls to isolate only the systems in the cardholder data environment. You don't -have- to do this, but it makes things easier. I don't understand specifically what you mean by "a concentrated firewall and internet provider hub", but it does not sound like something required by PCI. Although it may have been a system designed by your organization to make compliance easier.

Checklist Security...

[Jah-Wren+Ryel]

their security programs are driven mainly by compliance, rather than protection (PDF).

Sadly, this seems to be the way of the world. Even the things you would expect to be high-security, like classified information, tends to get this sort of treatment. I like to call it "Checklist Security" because most of the people doing security work are more interested in checking off steps an official procedure to CYA themselves than to make sure that whatever they are trying to protect is actually secured.

The TSA is another classic example - no containers of liquid greater than 100ml on the plane because that's on the checklist, but indiscriminate dumping of hundreds of them into one big trash bucket next to 30+ people in line at the checkpoint is fine because that's not on the checklist.

One of two ways

[david_thornley]

The point of these regs is that the corporation and its clients have diverging interests. It's in my interest that my medical records not be publicly distributed (well, it certainly could be), but releasing them wouldn't really matter to the companies that keep them. Since I don't have much of a choice of companies, and can't audit these companies, market forces are inadequate to protect my interests.

Therefore, the government steps in. There are three ways the government could do this. One is to prescribe security measures. One is to allow me to sue for a whole lot of money in statutory damages if my privacy is breached. This gives the company some incentive, but it means that a large breach (despite what may be good security measures) kills the company. The last way is to have criminal penalties for data breaches, and that has the same result.

The prescribed security measures are actually the safest way for a given business. They require some expense, but they're also a form of insurance.

As far as the company's vital data goes, well, protecting their data is up to them. They have the resources, authority, and incentive. They have resources and authority to protect my data, and I have the incentive.

Re:The report is plain wrong IMHO

[sweatyboatman]

the report doesn't actually say that companies should not spend money on compliance. the summary says that, sure, but this is slashdot.

the paper says that the costs to companies of IP theft is far larger than for data leaks.

since companies cannot spend less on compliance, clearly the point is to get them to spend more on IP security. Which might be why Microsoft and RSA commissioned the paper in the first place. Now they can go into corporate board rooms and say "Yes, you already spend $X millions on security, but this report shows why you should spend $2X millions more on our new and improved security!"

Accounting

[Herkum01]

Compliance is about appeasing the corporate bureaucrat with something which they can measure. Why do you think they hate IT, they don't know how to measure anything. Better to make up a measurement and pretend it means something rather than spend time and effort in something you have no interest and really don't understand.

Re:It's more than IT compliance

[vlm]

Sometimes things are overbuilt for future use. For example in my area a large building at the local CC was designed and built for a "printing industry center of excellence". Crashed and burned, now they have general ed classes in the empty rooms.

The womens bathrooms will get more use when VW moves out and nursing holds some classes in the empty rooms. Or the handicapped folks training to become accountants, or whatever.

I find it highly unlikely you'll pay $130/sq for a permit alone. Maybe total project cost from say go until first class is held.

Re:Well...

[RMH101]

I spent 10 years in pharma IT. Compliance gives you, as the IT tech guy, a stick to hit the bean counters with to justify your security. You have serious licence-to-operative FDA tigers growling at you, and it's no longer acceptable to not bother with some reasonable baseline of security and repeatability - ComVal. If you need to spend a small fortune on fixing a security problem, you'll get it if you phrase your request in terms of compliance.