This post is prompted by an “enthusiastic debate” about regulatory compliance I had recently with another gentleman in our profession.
I’d love to take a poll of infosec professionals to find out how many of them adhere strictly to speed and other traffic laws when they drive. Why? Because many of these are the same people who state with conviction that, when a law/regulation exists regarding information protection, an organization MUST comply. While we might wish that were true, the fact is that compliance is ALWAYS a choice. It’s just another risk decision; usually a trade-off of some sort. Does the organization prefer to accept the risk associated with potentially being caught and facing legal and other losses, or would they prefer to accept the costs and business impact associated with complying.
The other consideration in play is the fact that many laws are open to interpretation. I’ve been in plenty of meetings where the ambiguity in law is leveraged in decision-making. Not in a malicious, bwah-ha-ha sort of way, but in a legitimate “How do we best manage the cost and risk associated with running a business?” sort of way. And for those who’d argue that’s a terrible thing, I’d bet a close look at some of your own decisions will find a little “harmless interpretation” of the law from time to time.
Of course, some people might argue that you can’t compare speeding, tail-gating, and rolling through stop signs with the damage that can occur from a breach of credit cards or other PII. I beg to disagree. I believe the risk associated with automobile accidents resulting from even relatively simple carelessness or thoughtlessness is significant.
The point is, when we adopt the premise that laws/regulations somehow eliminate choice and decision-making, we’re being naive, and this naiveté comes across pretty glaringly to many of the business professionals we serve and support. It’s just another example to them of the infosec geek lacking perspective and viewing our very grey world in black-and-white terms.