Home page logo

basics logo Security Basics mailing list archives

Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
From: Valdis.Kletnieks () vt edu
Date: Thu, 22 Apr 2010 16:43:14 -0400

On Wed, 21 Apr 2010 14:44:35 PDT, Mike Hale said:

According to the paper, roughly 40% is spend on directly securing
secrets, and another 40% is spent on compliance of some type.  They
further suggest that half of this compliance spending is spent on
internal compliance, and half on regulatory/external compliance.

I find the findings completely flawed.  Am I missing something?

My reading of it is "we spent 40% actually securing it, and an equal amount
on total bullshit paperwork and checkbox-checking to "prove" we secured it,
and the paperwork and checkboxes didn't do anything to directly secure the
data".  Consider - if you spend a week talking to the auditors, that's a
week's salary spent on talking to auditors that didn't actually do squat for
the security.

Similar to if you had to get a yearly safety inspection on your car, and
you had to pay $20 to the mechanic to do the inspection (which will hopefully
actually verify your car meets the legal standards if your mechanic is honest),
but then had to spend another $20 to file the paperwork with the local
Dept of Motor Vehicles to make it official.

Attachment: _bin

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]