Slashdot Mirror
Compliance Is Wasted Money, Study Finds
Trailrunner7 writes "Enterprises are spending huge amounts of money on compliance programs related to PCI-DSS, HIPAA and other regulations, but those funds may be misdirected in light of the priorities of most information security programs, a new study has found. A paper by Forrester Research, commissioned by Microsoft and RSA, the security division of EMC, found that even though corporate intellectual property comprises 62 percent of a given company's data assets, most of the focus of their security programs is on compliance with various regulations. The study found that enterprise security managers know what their companies' true data assets are, but find that their security programs are driven mainly by compliance, rather than protection (PDF)."
The purpose of the 'process' is to serve the 'objective'. When serving the process becomes the objective, you're boned.
If there were no regulations and standards, then all the money would be funneled into actual security protocols?
Doesn't seem like that would be the case, especially since they are now just "going through the motions" to ensure compliance with regulations. The companies may well ignore data security altogether. By complying with regulations there is at least some level of security.
It's like the teachers' complaint that standardized tests force them to "teach to the test", well at least they're teaching something rather than nothing, which was the point of the test in the first place.
The point of these regs is that the corporation and its clients have diverging interests. It's in my interest that my medical records not be publicly distributed (well, it certainly could be), but releasing them wouldn't really matter to the companies that keep them. Since I don't have much of a choice of companies, and can't audit these companies, market forces are inadequate to protect my interests.
Therefore, the government steps in. There are three ways the government could do this. One is to prescribe security measures. One is to allow me to sue for a whole lot of money in statutory damages if my privacy is breached. This gives the company some incentive, but it means that a large breach (despite what may be good security measures) kills the company. The last way is to have criminal penalties for data breaches, and that has the same result.
The prescribed security measures are actually the safest way for a given business. They require some expense, but they're also a form of insurance.
As far as the company's vital data goes, well, protecting their data is up to them. They have the resources, authority, and incentive. They have resources and authority to protect my data, and I have the incentive.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
And that is why your delusions is worse. without HIPPA companies weren't held responsible because it was always some other companies fault. Every company could plead it wasn't us because there was no way to track who was actually responsible.
There is a reason greed is a deadly sin among some religions. Let's try this another way. dec. of 2006 Circuit city BOD executives noticing a small drop in sales and in need of their bonus checks, fired their top 3000 sales earners. the top 3000 who the company paid the most in salary that weren't managers. But who also accounted for the majority of their sales. They paid themselves tens of millions of dollars in bonuses. By July 2007 Sales were a third of what they should be and by dec. 2007 most stores were closing up as the whole company was bankrupt.
That same kind of executive thinking is found in the majority of CEO's. read http://money.cnn.com/galleries/2010/news/1004/gallery.top_ceo_pay/index.html?source=cnn_bin&hpt=Sbin over half the people on this list have gotten major bonuses yet are still posting losses for the same year. Do you want that kind of thinking to have total but deniable control over your health? that is life without HIPPA.
Just remember the vast majority of laws are there because someone abused something to the detriment of many. The law may not be perfect but having it is better than the alternative.
i thought once I was found, but it was only a dream.
...considering we are a pharmaceutical call center, we pretty much have to invest heavily in HIPAA security.
No, and that's the point of TFA. You have to invest heavily in HIPAA compliance. I worked in banking for years, and got a pretty good picture of why it happens this way.
Here's how it was before compliance:
[Some random CIO guy] thinks we need X level of security, and that's what we get. But it turns out [SRCIOG] isn't too good at working out how much security we need, so we get hacked and lots of [patients/customers/federal agents] lose all of their [medical records/money/lives]. We fire [SRCIOG] and hire [SRCIOG2], but it turns out we have the same problem.
Compliance solves the arbitrary nature of the security level we aim at. We're now all aiming at Z, but the problem is [SRCIOG27] still doesn't really know what he's doing, and there's still budget pressure and he still doesn't think we REALLY need all that security because hackers happen to OTHER CIOs. So he looks at Z, and says "How can we meet each objective of Z in the cheapest and least intrusive fashion? After all, we have products to build, and research to do, and this compliance Z target is so expensive and annoying and FOR CRYING OUT LOUD DON'T TELL THE AUDITOR ABOUT THE OFFSITE BACKUP SYSTEM!!!?!"
So yes, people focus on compliance and spend lots of money to get minimal security: it's a bad solution, but it's better than just letting them set their own (often much lower) standards. Some organisations will get it right, spend the resources appropriately, and end up with a compliance solution which provides real benefits and isn't costly to maintain. The pack, by and large, spend the minimum possible up front, and keep spending and spending and spending every year in order to convince the auditors they're "making good progress".
Ultimately, compliance doesn't give us security. It gives us a big stick to beat people with when they blatantly ignore security.
The problem is that you're right. Compliance doesn't generally add value to the individual product or service. It adds value to the network or industry. Take PCI-DSS and the VISA and MasterCard networks.
Each individual bank/merchant wants to spend the minimum possible. As one of 30,000 odd banks on the network, or one of however many millions of merchants, they think their odds of being involved in a major breach is pretty small, and the risk of a lot of people losing a lot of money is that they change their name and set up shop down the road (in the case of a merchant), or shake their head, say they're sorry, and spend a million bucks on a brand name security solution (in the case of the banks). If you spend a little bit of money before anything happens, you raise the bar a bit, and reduce your risk a bit, but still, YOUR customers don't really see any benefit to those fee rises, so lots of places just try to sit below the radar of the hackers and the scammers and the other random crims.
Enter compliance: VISA and MasterCard say "hey, this sucks, nobody will spend money on security 'cause they think it won't happen to THEM. But EVERY SINGLE TIME IT HAPPENS, IT HAPPENS TO US. If each bank has one little problem once a year, we have THIRTY THOUSAND problems, and we're SICK OF IT." So they go to industry and say "you guys have to do this. And this. And this and this and this. And if you don't do it, we're gonna fine you a hundred grand. And if you don't pay the fine AND fix the problem, you're off our network, which pretty much means you're out of business."
And VISA and MasterCard create a whole new industry, and lots of jobs, and it turns out having a minimum level of security (or at least, a big stick to hit people with if they don't bother with a minimum level of security) is actually a financial plus across the system as a whole, even if it's bad for the some of the businesses. And consumer confidence is up, too, so we have more people spending more money, so even the banks and the merchants are happy in the end (by and large). And VISA and MasterCard say "HEY! This is cool, our profit margins are much better. Let's pay ourselves bigger bonuses."
So yes, I think it's a waste that the government forces corporations to spend a shit ton of money doing things that don't actually help me, instead of spending that money actually securing my data.
You're positing that if HIPAA was removed, industry would take all that wasted compliance money and spend it on security. I postulate that they'd instead take all that wasted compliance money and spend it on Ferraris.
Posting anonymously for semi-obvious reasons....
I work for a Fortune 200 firm. We have branches in all 50 states (and many countries as well, but I'm in the US division.)
Every locality - city, state, whatever - has its own little set of laws. Some of the tax laws are very complex. Our software can't handle all of them.
So every one that comes up, one of the questions that go into the decision making is this: How big is the fine if we don't?
If the defined fine is less than it will cost to implement the change, sometimes we let it go and figure we'll pay the fine if we're caught.
On the other hand, it's absolutely true that compliance gets a higher emphasis and a higher visibility than actual security. We're redoing our credit card processing at the moment, and although the new implementation meets the PCI-DSS regulations better than the old one (in other words, it does) it also has a much larger potential for major data loss.
The old architecture was totally decentralized. You would have to compromise each of our locations to get their credit card data.
The new one is centralized. Compromise one server and you've got it all.