When it comes to regulations specifically and security in general, we make calculated bets every day. There's really no way to comply with every regulation on the planet, and the cost of attempting it would probably prove to be too prohibitive for most organizations. Likewise, there's always the probability that some hole in our patchwork of security policies is going to be exploited. But the cost of putting fixes in place for every known security threat is not practical for most organizations.
Most IT organizations accept this inherent level of risk, but IT security people really don't know how big the potential gap is between the current state of their IT systems and the number of potential security threats and regulatory issues. They can take an educated guess, but for the most part, they are flying blind.
One company trying to narrow that gap is Lumension Security, which is rolling out a new Risk Manager offering based on products that the company added to its portfolio with the acquisition of Securityworks. The Lumension Risk Manager doesn't eliminate risk, but it does help IT organizations better quantify it. It also substantially reduces the amount of time it takes to identify those risks, which can be a pretty handy tool to have around when auditors start climbing all over your company.
Lumension has enhanced the Risk Manager product via an alliance with Network Frontiers, which has developed a Unified Compliance Framework that provides a database that identifies the relationship between various regulatory requirements and more than 2,500 controls that IT organizations should theoretically have in place to comply with them. The best thing about this database is that it identifies what controls are being used across multiple regulations, which makes it easier to identify redundant controls.
Perhaps most important of all, the Lumension Risk Manager gives the IT department a way to share the risk with the rest of the business. All too often, when something goes majorly wrong, the IT department gets hung out to dry. If the IT organizations can better quantify what the actual risks are, the decision about the needed compliance regulations and security requirements can be shared with business executives. That means the next time something goes wrong, the organization, as once noted by Benjamin Franklin, will "hang together" better one way or another.