Friday 7 September 2007

Compliance and disclosure

I've had a lot of wishes of good luck since I moved back to the UK, and announced my move to Ingrian, and I want to say thank you to everyone who's contacted me in a more public way.

My first mail was from Brian Honan in Ireland, a senior consultant with his own firm, who wrote to me to wish me luck for my move. I wrote back to ask him what he was involved in and he happened to mentioned that he was pressing for a breach disclosure law over there.

In the last 10-20 years a transformation has happened in the Irish economy, particularly Dublin, the capital city where Brian is based. There was a boom from 1990-2001, characterised as "The Celtic Tiger", in which time the economy there grew from one of Europe's poorest to one of its wealthiest, much as Spain has done in the last few years with its construction industry, Ireland did so with its technology and innovation. With growth come growing pains, legislation, particularly around electronic transactions, is usually the last thing to be put in place. Breach disclosure has often been an afterthought.

Then Jon Robinson, after wishing me luck with the move, picked me up on something else yesterday which I thought I was fairly clear on in my own mind. Compliance, do we need it? I've always believed in it, thought of it like an embarrassing geeky younger brother to security (the cool one, good at sports, knows karate), but just let it run, and used it to push my wares when needed. We all know compliance does not equal security, we all assume that we need to comply for the greater good. But who are we doing it for, and why? Why should we be forced?

I started to get my ideas down on screen, and it struck me just how much compliance is a double-edged sword, and it's really not had the effect that it was supposed to as yet. Instead of being the great security driver, it is more of a great security leveller: it's making us think (at last).

The things I am hearing about compliance and disclosure laws from the States are:

1. Disclosure doesn't hurt a business. The pain for customers to move outweighs the pain of being breached. They see breaches as temporary, and trust brands. If anything, breach disclosure acts as free publicity.

2. Compliance is not specific enough in either technical or business terms, it's like the Sword of Damocles, perpetually hanging over those in power, waiting for someone else to disturb it.

3. Businesses in the States are moving in droves to take their data away from storage, and where possible, just keeping pointers to data (credit cards, SSNs, etc.) in other people's storage, which means there is no need for the same level of data security.

4. Because of this, QSAs and consultants in the US are moving into Europe in unprecedented numbers, to address a market which isn't aware of these methods yet.

5. If you are compliant, you don't have to disclose breaches. HOWEVER, if you are compliant and have a breach, are you better off disclosing, or keeping schtum? There have been a few cases recently where people have just come right out and said it, even when there was no need.

Is compliance really the answer we have been looking for, or just a sales tool?

The bad thing about compliance is that it is a stick measure, dressed up as a carrot. Something to beat you with which the people behind it are saying "if you comply, you'll be safe". But you aren't. Just because you are compliant, does not mean you are secure. Ironic? At the very least. As a result there is so much confusion that the consultants who know security can clean up, but then, they are liable, and the security landscape is ever changing. If I was any one of my clients I'd be extremely upset about compliance.

The good thing about compliance is that it turns security into business issues which need to be addressed by CEOs and CFOs. This is good for consultants (again) and vendors however, not the average consumer. I've said in a previous post that consultants are up for a good run in the near future due to the state of the market at present, but there is going a lot of competition from some big US firms (that I've also mentioned recently), because of the way compliance is forcing sensitive data out of the corporate infrastructure.

I think we'll see a few more small consulting firms being bought up by large US companies in a bid to take over the European market before it dries up like it is doing in the States, and like the vendor world, it will be increasingly a case of start-ups being started as acquisition targets rather than going concerns in their own right. I find this a bit sad, just like I did with supermarkets taking over from corner shops, but this is the price of progress I suppose.

Maybe if I get in quick I can still become a millionaire, but then millionaires are ten a penny these days. Who wants to be a millionaire when we're talking in billions?

No comments:

MadKasting