Thanks for the link, Robbie! Here's a copy of the blog post... --------------- "I went to an informative "Cornerstones of Trust 2009" conference yesterday in San Mateo, CA. One of the sessions I attended was "Compliance is Not The Same as Security!". It's an important topic, especially for IT/security staff facing challenges getting their security initiatives funded during these tough economic times. "There was a theme that ran throughout the session which I can summarize as this: 'CEOs are being short-sighted by not investing in the [fill in the blank] security initiative. Don't they realize that a breach is inevitable, given enough time? And the cost of the [fill in the blank] security initiative is much, much lower than the cost of dealing with a breach (estimated at over $200 per record). Not to mention that preventing said breach provides other tangible and intangible benefits including protecting the brand, preventing customer erosion due to loss of trust, and avoiding a calamitous drop in stock prices.' "Given the compelling case for securing the enterprise, why do CEOs fail to invest more in security solutions? Does this simply represent a failure of IT and security staff to make a compelling business case? Or are the CEOs in fact being short-sighted? "Let's try looking at this from the CEO's perspective. He or she is continuously under scrutiny by Wall Street, and the most common measure of the CEO's and the company's performance is by comparing various financial metrics to a relevant peer group, typically the company's competitors and other players in the same industry. Investors want to know - especially in an economic downturn - whether the CEO is keeping expenses in line. In other words, does the company spend a higher percentage in any category than peer company XYZ? If so, is there a measurable ROI from this higher rate of spending? If not, it looks to an investor like wasteful spending or lack of discipline. How should a CEO respond to that? "Risk management is the only rational way to frame the debate. But now we've entered the world of probabilities and risk assessments. What we know to be true is that no amount of spending can guarantee there will be no breaches. The management decision is one of making rational trade-offs between the probability of an event, and the cost of reducing that possibility - but not eliminating it. "In recent years, a new dimension has entered the debate: compliance. Regulatory standards apply now to public companies (SOX), healthcare (HIPAA), card handlers and retail (PCI), various aspects of financial services (primarily GLBA, but including the entire range of FFIEC audits), and other sectors. Most companies therefore have a mandatory level of security that's required in order to meet compliance requirements; failure to do so results in audit findings, and possible material weakness reports. No CEO wants that. "Security spending for compliance, then, is a given. And while compliance spending may not comprehensively protect the enterprise against a breach, it does provide one important bit of protection: liability. From the CEO's perspective, while the cost per record of responding to a breach may be high, it's nowhere near the potential cost of lawsuits resulting from said breach. And achieving compliance appears to provide a liability shield. "Therefore, the CEO thought process might go something like this: Security spending for compliance is mandatory. And while additional security-related spending might make us more secure, it doesn't add anything in terms of liability protection. Furthermore, there's no guarantee that additional security spending will prevent a breach, but there's a strong likelihood that it will increase spending compared to industry benchmarks. By spending on compliance we are protected against the biggest exposure, which is legal liability. It's not perfect, but given the pressure on margins it will have to do. "If compliance standards are strengthened, then of course the company - as well as all of its competitors - will increase spending to comply. And there's plenty of room for improvement in reducing IT audit findings; see here and here to read about top IT audit findings. "Cloud Compliance is developing an Identity and Access Control (IdAA) solution to improve the efficacy of compliance solutions, and reduce the cost of achieving compliance. Due to our global visibility as a cloud-based SaaS solution, we capture statistics industry-wide that our customers can access for setting their own policy benchmarks and ensuring that their security spending is in line with their peers. Finally, in contrast to most identity management systems, the Cloud Compliance SaaS solution requires no software to install, maintain and operate, no appliances to deploy, no consultants, advisors or professional services to deploy, and no huge upfront capital expense to incur. "