Effective security is not the same thing as complying with security rules and regulations. Sure, there is a certain amount of overlap: Deliberately violating security requirements often results in poor security. But from a vulnerability assessor perspective, a good rule of thumb is that at least a third of security rules and regulations in large organizations actually make security worse. Often, this is because the security requirements don’t adequately account
for local conditions, human nature, organizational culture or unrecognized security vulnerabilities.
Many security managers fully understand that compliance does not necessarily equate to good security (though the political or legal need to be in compliance may be unavoidable). Others, however, do not share this view and believe that they can evaluate the effectiveness of their security primarily by auditing compliance with rules and regulations. Nothing could be farther from the truth.
Probably the most common examples of compliance harming security include the following: the bureaucracy, paperwork, records keeping, efforts to interpret and implement complex rules (sometimes confusing and contradictory), time spent preparing for audits, “teaching to the test,” memorizing trivia, spending large sums of money on dubious and expensive security measures and consultants, etc. all result in distractions, frustrations, loss of focus and energy and wasting of security resources. Particularly damaging can be foolish regulations or legislation imposed by naive bureaucrats, regulators, executives or legislators as a result of over-reacting to security incidents.
Read complete report here.
Roger G. Johnston, Ph.D., CPP, is CEO and Chief Vulnerability Wrangler at Right Brain Sekurity, a company devoted to security consulting and vulnerability assessments. He headed the Vulnerability Assessment Team at Argonne National Laboratory from 1992 to 2007, and was the founder and head of the Vulnerability Assessment Team at Los Alamos National Laboratory from 1992 to 2007. He’s author of the revised and expanded 2nd edition of Security Sound Bites: Important Ideas About Security From Smart-Ass, Dumb-Ass and Kick-Ass Quotations.