I've said it before and I'll say it again. Compliance is a sham. Most are vague attempts at kinda hoping you'll make appropriate security decisions and protect people's data that reside on your systems. Others have very detailed lists of what you should be doing, which, from the business side of the house, is completely impractical to comply with so most organizations adopt a "we're doing our due diligence" mentality of trying to at least show small, annual signs of compliance improvement in hopes that if that low probability event accually occurs, they will not be held accountable because they can produce the appropriate "metrics" that tell the all too familiar tale of compliance costs vs. revenue and GP.
The latest Sham-WOW compliance movement has been introduced by several congress-persons, including Joe Lieberman, and boy is it a doosey. Jody Westby's story in Forbes (here) sums up most of it very astutely, but doesn't touch upon what I feel is a larger, underlying battle. We are rapidly approaching a very complicated paradigm shift regarding our national economies and who is responsible for protecting our national assets and interests. I've previously discussed the economic dangers of the theft of our innovations and how we are no longer (for the most part) in an era where our government can protect our industries by reacting with physical force.
Yet, the antithesis of bombing the daylights out of an adversary for cyber-stealing NASA secrets and the like appears to be applying more regulatory compliance to the formula. I can hear all of the equipment vendors cheering already. "Buy this device and you will be <insert the latest govt. regulation here> compliant." It's crap like this that makes my life more hectic in my attempts to un-"educate" people who have already taken the bait and are now chasing the carrot of compliance.
Compliance almost never means Secure, Secure almost almost always means Compliant. At this point I forget who even said that first (credit anyways). There was a time I felt it might take a few levels of governmental regulation to get to some semblance of Business Security, but no longer. Litigation is king, and even that has diminishing returns in this day and age of the "international mystery man", more commonly known as the C.H.E.W. factors.
Standards, people. And the lack thereof. We spend so much money investing on systems that will "protect" us from weaknesses that should have already been vetted in the actual application it is no wonder each and every industry is overwhlemed with thousands of vendors touting the latest and greatest solution to combating <insert APT here> in your enterprise. Focus on the root causes. Awareness and coding standards. Develop them. Enforce them. Don't buy software from vendors who aren't an active contributor to such standards, etc. I realize this is as much of an uphill battle as complying with some of the regulatory standards but at least it would actually make an impact.
Just be, as good infosec professionals strive to be, proactive about it. Don't be complacent and allow a bunch of aging congressmen who aren't really sure how to turn on their "tweeter" be responsible for developing another completely erroneous and uneffective infosec regulatory compliance standard just because we can't collectively troubleshoot root cause issues and become a community dedicated to actual problem solving, debugging and solutions.
