In this article from CIO magazine a few months ago, Allan Holmes discusses the challenge of surviving a regulatory audit. This excerpt sums it up:
"The dirty little secret here is that everybody tries to figure out how much risk they can assume without being embarrassed or caught,” says David Taylor, a former Gartner security analyst and now vice president for data security strategies for Protegrity, a security and privacy consultancy. “The people I regularly talk to are trying to figure out if [their security] fails, what’s the smallest amount they need to do to stay out of trouble and how they can blame someone else."To make matters worse, different auditors interpret the regulations differently and enforcement metrics are open to interpretation. Holmes points to another article on the ROI of noncompliance in the mid market in which he quotes a PWC advisory partner as stating that "You can get 80 to 90 percent of what you need to find ...and that does a lot to comply." In a related article, back in September, CIO pointed out that executives across all industries are making slow but incremental improvements in deploying information security policies and technologies.
Looking at all of this information together, it seems that an extremely functional tool set that maximizes value on the dollar and gets an organization 80% down the road toward full compliance may be more compelling to many organizations than an all-encompassing solution that consumes a huge portion of the security budget (and effort) and gets them closer to 90% or 95% down that road.
I believe compliance is more shades-of-grey than all-or-none. But, how much so? Holmes seems to be suggesting that it's extremely open to interpretation and that executives are constantly looking to deploy a minimalist solution that will win the CYA game while exerting as few man-hours and dollars as possible. It's an interesting discussion to be sure. Thoughts?