Thursday, March 20, 2008

Information Security, Governance, Compliance and Safety Belts

The state of Victoria in Australia made wearing safety belts compulsory in 1970. This is now almost universal practice.

I don't know the exact statistics but a study done in South Africa found that more people used safety belts after it was made illegal to not use them than when it was left up to the driver.

The conclusion really is that people are more likely to obey a rule because it is law than because it may just save their life.

I think that the same is true with Information Security. It won't (necessarily) save your life but it is good practice. And yet companies are only doing it because it is now law.

The problem with this is that it is not accepted by people in their hearts. I know of people who drive around without their belts on and put them half on when they see a traffic cop.

The Information Security equivalent is jacking up your InfoSec program when the auditors come to visit and letting it slide when they are not around. Or making sure that they don't see some issues that you are well aware of.

I have seen a lot of complaints about PCI and SOX etc etc in the same way that people complain about "self protection" laws like safety belt laws. The thing is that the government is stepping in only because people are very bad at self regulation. Really, what a number of InfoSec experts are trying to promote is - understand why you need to protect yourself, understand how and abide by it. Do it for your company, not because the government demands it.

That way, not only will you be "compliant" and full of "good governance" but more importantly - your company will be safe.

2 comments:

Anonymous said...

Hey Allen, interesting article (esp. in context of recent breaches).

"I have seen a lot of complaints about PCI and SOX etc etc in the same way that people complain about "self protection" laws like safety belt laws. The thing is that the government is stepping in only because people are very bad at self regulation."

A couple of points -

PCI is about the payment card folks transferring their risk to their customers - not really about gov't paternalism re: risk (though it stems from GLBA).

"people are very bad at self regulation."

Is this because of careless business owners or because we, as security folks, have been notoriously bad at communicating risk - and because consumers are too lazy/busy to take action on a whole-scale level?

Let me suggest that the point at which compliance becomes not only irrelevant, but harmful(more analogous to prohibition than to seat belts) is the point at which an organization understands risk within the context of their capability to manage risk.

rybolov said...

I thought you were reading my mind when I saw the title. I read this article by Malcolm Gladwell last night: Wrong Turn: How the fight to make America's highways safer went off course".