Slashdot Mirror


Compliance Is Wasted Money, Study Finds

Trailrunner7 writes "Enterprises are spending huge amounts of money on compliance programs related to PCI-DSS, HIPAA and other regulations, but those funds may be misdirected in light of the priorities of most information security programs, a new study has found. A paper by Forrester Research, commissioned by Microsoft and RSA, the security division of EMC, found that even though corporate intellectual property comprises 62 percent of a given company's data assets, most of the focus of their security programs is on compliance with various regulations. The study found that enterprise security managers know what their companies' true data assets are, but find that their security programs are driven mainly by compliance, rather than protection (PDF)."

3 of 196 comments (clear)

  1. It's more than IT compliance by grimsnaggle · · Score: 4, Interesting

    My school, working with VW, built a new building for automotive projects. It has handicapped parking spaces, handicapped showers and bathroom stalls, male and female restrooms, and multiple chemical showers. There are few handicapped people in the school, fewer in engineering, and none on any of the automotive teams - for obvious reasons. There are also very few females, to the point that unisex bathrooms (like those used in more gender-normal parts of campus) would have been a fine option.

    There's also wasted space for clearance around electrical panels (which are everywhere), inspection points, etc. All told, some 30% of the square footage of the new building is wasted by complying with regulations. And the government charged us $130/sq ft just for the permit.

    And we wonder why China is whipping our ass...

  2. Re:Naturally... by MillionthMonkey · · Score: 3, Interesting

    And people wonders why so few startups are going on that may produce new jobs.

    I've been to several startups in the past year that exist solely for compliance purposes. They'll have only a few customers, all large corporations. Typically they'll come up with some little scheme like building physical "appliances" that clients plug in to their internal network and voila all this stupid traffic is being logged and kept on record and emails are flying out to customers a mile a minute. On average these outfits hire a couple dozen people. Very dull jobs but they pay well.

  3. Re:Well... by Rophuine · · Score: 5, Interesting

    ...considering we are a pharmaceutical call center, we pretty much have to invest heavily in HIPAA security.

    No, and that's the point of TFA. You have to invest heavily in HIPAA compliance. I worked in banking for years, and got a pretty good picture of why it happens this way.

    Here's how it was before compliance:
    [Some random CIO guy] thinks we need X level of security, and that's what we get. But it turns out [SRCIOG] isn't too good at working out how much security we need, so we get hacked and lots of [patients/customers/federal agents] lose all of their [medical records/money/lives]. We fire [SRCIOG] and hire [SRCIOG2], but it turns out we have the same problem.

    Compliance solves the arbitrary nature of the security level we aim at. We're now all aiming at Z, but the problem is [SRCIOG27] still doesn't really know what he's doing, and there's still budget pressure and he still doesn't think we REALLY need all that security because hackers happen to OTHER CIOs. So he looks at Z, and says "How can we meet each objective of Z in the cheapest and least intrusive fashion? After all, we have products to build, and research to do, and this compliance Z target is so expensive and annoying and FOR CRYING OUT LOUD DON'T TELL THE AUDITOR ABOUT THE OFFSITE BACKUP SYSTEM!!!?!"

    So yes, people focus on compliance and spend lots of money to get minimal security: it's a bad solution, but it's better than just letting them set their own (often much lower) standards. Some organisations will get it right, spend the resources appropriately, and end up with a compliance solution which provides real benefits and isn't costly to maintain. The pack, by and large, spend the minimum possible up front, and keep spending and spending and spending every year in order to convince the auditors they're "making good progress".

    Ultimately, compliance doesn't give us security. It gives us a big stick to beat people with when they blatantly ignore security.