Tuesday, May 25, 2010

On Greed and Complianciness

Disclaimer: This post is not inspired by any past or present events in my work or personal life. The opinions expressed here are mine and not necessarily those of any of my employers, customers, vendors or organizations with which I affiliate.

As the Gulf coast becomes another environmental disaster and still recovering from the financial meltdown, I can't help but think about the parallels between having a well run information security program and compliance. You must know by now, I am an advocate of the work NIST has done as a result of FISMA. This has led to the many 800-series documents which helped many organizations, despite what the haters may say. We need compliance and compliance frameworks, if we don't then nothing will happen.

BP was not required to have the secondary piece of equipment, so they didn't put it in. Now look what happened. Wall Street gambles with people's mortgages and livelihoods, and the taxpayers (in the form of the Federal Reserve and Bailouts) have financed the losses.

In the same vein, why would an agency or department spend taxpayer money on security when they aren't required to? Especially since there is a deficit and a push to contain costs. They wouldn't. Congress had to mandate it.

I'm not trying to make a political statement, I am saying that without compliance programs and frameworks - a company would do nothing. Without the threat of fines from compliance or public relations disasters, a corporation has no incentive to do ... anything.

So here again, let us not confuse failures because a company practices complianciness. We should also not be surprised that an organization chooses to take the path of least resistance and doesn't put resources towards a real information protection program.

1 comment:

Mike said...

I couldn't agree more Chris, well said. Compliance should be the natural by-product of good security practices, not the other way around.