The True Cost of Compliance
Survey reveals that doing the bare minimum is roughly the equivalent of an invitation to financial disaster.
One of the major themes emanating out of RSA Conference 2011 this week is the confusion between meeting compliance requirements and actually having secure IT systems.
Far too many IT organizations seem to equate compliance with security, rather than realizing that compliance with any regulation only represents achieving the minimum level of security required. While most security professionals understand this conceptually, far too many of the organizations they work for are simply trying to check off the requirements box associated with any number of regulations.
This naturally leads to a debate over whether compliance regulations are really stringent enough given the tendency of IT organizations to want to do as little as possible in the way of investing in security. Danny McPherson, chief security officer for Verisign, estimates that about 80 percent of what is ascribed to the IT security budget is actually spent on compliance issues. Worse yet, most customers don't invest in anything more than anti-virus and firewall technologies, which generally means that the organization is still at risk to a whole host of security issues.
McPherson is of the opinion that over time, more customers will move to adopt security services delivered via the cloud to augment their IT security simply because the cost of acquiring that additional security expertise is cost prohibitive. But in the meantime, security is in danger of being compromised because customers have a false sense of confidence about what it actually means to be compliant with any number of regulations, while the number of distributed denial of service (DDoS) incidents and sophisticated attacks on DNS servers continues to rise. This is especially troubling, adds McPherson, when you consider the limitations of anti-virus software when it comes to dealing with modern malware and the porous nature of most firewall deployments.
Ultimately, McPherson says that the real fear is that unless IT organizations are more proactive about security, regulations will become more prescriptive. That means that legislators and bureaucrats with very little actual IT expertise will start dictating security policies without any regard to the actual business risks involved. And once that happens, you can bet that the cure will be a whole lot worse than the actual disease.