It’s still a choice

  • This post is prompted by an “enthusiastic debate” about regulatory compliance I had recently with another gentleman in our profession.

    I’d love to take a poll of infosec professionals to find out how many of them adhere strictly to speed and other traffic laws when they drive.  Why?  Because many of these are the same people who state with conviction that, when a law/regulation exists regarding information protection, an organization MUST comply.  While we might wish that were true, the fact is that compliance is ALWAYS a choice.  It’s just another risk decision; usually a trade-off of some sort.  Does the organization prefer to accept the risk associated with potentially being caught and facing legal and other losses, or would they prefer to accept the costs and business impact associated with complying.

    The other consideration in play is the fact that many laws are open to interpretation.  I’ve been in plenty of meetings where the ambiguity in law is leveraged in decision-making.  Not in a malicious, bwah-ha-ha sort of way, but in a legitimate “How do we best manage the cost and risk associated with running a business?” sort of way.  And for those who’d argue that’s a terrible thing, I’d bet a close look at some of your own decisions will find a little “harmless interpretation” of the law from time to time.

    Of course, some people might argue that you can’t compare speeding, tail-gating, and rolling through stop signs with the damage that can occur from a breach of credit cards or other PII.  I beg to disagree.  I believe the risk associated with automobile accidents resulting from even relatively simple carelessness or thoughtlessness is significant.

    The point is, when we adopt the premise that laws/regulations somehow eliminate choice and decision-making, we’re being naive, and this naiveté comes across pretty glaringly to many of the business professionals we serve and support.  It’s just another example to them of the infosec geek lacking perspective and viewing our very grey world in black-and-white terms.

    Posted on


    1. Chris Hayes Jan 19

      This is probably the third response I have written to this post; the others being way to snarky and possibly uncivil. As a matter of fact, I put the SIRA podcast on hold.. :-)

      If a company holds as one of its values that it will be ethical and reinforces to its employees, management and board that it will follow all state and federal laws – then it is drawing a line in the sand. I agree that ultimately it does come down to a choice. But here is the deal – in a lot of cases – it should not HAVE to come down to an actual choice. Your use of the word MUST is an absolute. I would rather use the word OBLIGATED. An experienced practitioner will try to leverage others in the organization who are far better qualified to underscore the importance of compliance (general council, business leaders, etc…). Finally, we need to differentiate between risk management of a compliance gap versus completely denying that a gap exists. The former is good enough for me and in some cases will appease regulators. The latter is negligence and a recipe for disaster.

    2. Jack Freund Jan 19

      >>If a company holds as one of its values that it will be ethical and reinforces to its employees, management and board that it will follow all state and federal laws – then it is drawing a line in the sand.

      @Chris Hayes

      Sounds like that company has made a choice about its ethics to me….

    3. Ayman Galal Jan 19

      I agree about your point regarding compliance is a trade-off. The same when someone decided to break the law. He/she decided to choice breaking the law and accept risk of that.

      When someone says you MUST comply with specific regulatory requirements. You should ask why? to make up your decision.

      You picked up traffic light example, and you are right that you have the choice to comply/obligate with traffic law. But, you don’t have choice of its enforcement or consequences if not obligated the law.

      To elaborate more in my point, when someone drives in a country its law enforcement relaxed and punshiment of breaking the law not severe. That person would be more welling to choice passing the law or obey the law as ethical choice.

      But, when the same person drive in a country with more strong law enforecement and severe punshiment of breaking the law. He would be more caution if choice not to obey the law.

    4. Ben Tomhave Jan 19

      I think this is great, Jack. It’s actually a major component of legal defensibility theory. There are very valid reasons to choose not to affect changes or make investments in meeting compliance requirements. So long as those reasons are well-reasoned, supported by reasonable data, and documented for posterity, then that’s really all you need to do, assuming it answers the question “If not doing this results in a breach, and then we’re sued or have charges filed against us, can we make a compelling argument that we made the best decision with the best available data?”

    5. Jack Jones Jan 19

      @ Chris — And I thought I was the one who got worked up about this! ;-) You make a good point about obligation vs. “must”, but as Mr. Freund points out, that too is a choice. As for leveraging General Counsel and others to help emphasize the importance of compliance, they often come to the table offering additional information that may, or in some cases may not, emphasize compliance, often due to the ambiguity in law or the costs and business impact of compliance. Even if, let’s say, legal counsel tells management that they can’t do X because of the legal ramifications, management (at a high enough level) is still in the position of saying, “Thanks, but I’m going to anyway.”

      Don’t get me wrong though, I’m not advocating non-compliance (I’m one of the most law-abiding people I know — by choice, I might add). All I’m doing is pointing out the fact that the existence of a law or regulation simply adds another form of risk to the decision-maker’s equation. For example, there may be a lot of good reasons why an organization might implement X, Y, or Z to reduce the risk associated with sensitive consumer information. Adding regulations on the matter simply adds a new set of stakeholders (the regulators and other legally-motivated parties) and codifies expectations. If, however, the regulations have no teeth and/or there is very little chance of being caught (any of those come to mind?) then, as Ayman points out, the motivation to comply is lower.

      Regarding negligence and disaster — well, in some (but not all) cases that’s true. Here again though, that decision/choice is in the hands of management, whether we like it or not.

    6. Jack Jones Jan 19

      @Ben – Great points! Have you started going to law school? ;-)

    7. AviD Jan 20

      Very well put.

      This will help me elucidate the counter-point of what I coined “AviD’s Law of Regulatory Compliance”
      (aimed mostly at PCI-DSS, but can be taken generally…), originally stated at when asked about the benefits of PCI compliance:

      “PCI compliance reduces the risk of the penalties of non-compliance.”

      Now its not as flippant as it sounds, huh?

    8. Jack Jones Jan 21

      @AviD — Absolutely! I’ve done plenty of analyses for clients where the question being asked is, “How much risk is associated with non-compliance?”. In those cases, the auditor or regulator is the “threat agent” — not in a malicious sense but purely in a “They can inflict harm” perspective. In those cases, whether/how compliant the organization is clearly affects the answer.

    9. LonerVamp Jan 27

      I tend to call this issue the Great Security Gamble. Basically, you can always choose to not do security or accept risk or whatnot, but you’re taking a gamble in suffering an incident or in someone finding you out about poor practices. I think even the decision to disclose breaches falls under this umbrella, and many companies I believe still opt not to disclose…until they lose that gamble.

      I also love and have long used the example of driving safety/laws/risk decisions to put corporate digital security into perspective. As any LEO will say, if they want to pull someone over, all they have to do is follow them for a little bit…and they *will* find that reason.

    10. Jack Jones Jan 28

      @ LoverVamp — Great point about the LEO situation and its similarity to infosec. I’d be willing to bet that no organization (of any size/complexity) is truly, fully compliant with whatever policies they have of their own, let alone external requirements. So it’s never a matter of whether a rule is being broken, it’s a matter of how often, how badly, whether it will be discovered, and whether any consequences will result. The external stakeholders and requirements-makers are limited in their monitoring/discovery resources, so it’s a very similar gamble to the driving scenario.

    Leave a reply