All hail the gods of security!! We bow at the altar of our security gods : Kerberos and his father Typhon, PKI, 2FA, 17799, 27001. But ALL must bow at the altar of the greatest of these gods, Compliance.

So let's get serious – what is compliance? Literally “compliance” (from dictionary.com) is :

1. the act of conforming, acquiescing, or yielding.
2. a tendency to yield readily to others, esp. in a weak and subservient way.
3. conformity; accordance: in compliance with orders.
4. cooperation or obedience: Compliance with the law is expected of all.

So from these definitions we can see “compliance” is a weak, obedient function – tugging the forelock. Not a bad thing really, when we are yielding to authoritative experts. But are we?

The heretics amongst us know that Compliance in the modern business world is an institutionalised methodology for assigning blame in the event that control breakdown results in material loss. Take a moment to think about that.

In fact, the way the corporate community responds to compliance requirements, is to ensure responsibilty for control breakdowns is delegated and attributable to line management.

This is to protect executive management from litigation and criminal proceedings (and, in fairness, they have very little visibility or control over controls breakdowns, but prima-facie bear the responsibility).

Now the obvious question that comes out of this, is “would modern compliance practices have prevented an Enron, an FIA, a Bond, a Skase”?

Without making any judgement against any of these individual cases, there is very little to suggest that these situations represent a fundamental breakdown of line or middle management controls. Rather, at least superficially, they seem to be a case study in top management neglect, abuse or misjudgement. And yet, these are exactly the events which have triggered the compliance cult.

So do I adopt the daring stance? There are many in our industry/community who see the initiatives around “compliance” (not just security) as being a massive cost. I am aware of organisations who do not want to fall under the US supervisory regime simply because of the massive cost of compliance. For example, I have agreed with consulting executives that the cost of proving Sarbanes-Oxley compliance is TRIPLE the cost of normal external audit. No big deal really, IF IT WILL MAKE A DIFFERENCE!

And so there is my proposition. Are we simply abaising ourselves at the altar of Compliance, or are we taking responibility for protecting our shareholder and customer interests through sensible application of precautions (controls or counter-measures if you must) in the face of threats. I invite your uncensored comments.

In later articles, and with your feedback, I hope to probe these questions much more deeply.

Stephen Ford
Principal
Typhon Security Consulting
sjfordau@gmail.com

No votes yet