New Study: Compliance Is Wasted Money

Article on SlashDot.org.

Slashdot has a link to an interesting study commissioned by Microsoft and the RSA. It shows the high cost of resources and funds to compliance outweigh those provided to protect corporate secrets. E.g. Custodial vs. Secret data.

The report is keen to point out that there is limited cost / damages for (in most cases) Custodial Data loss. Granted, it could be very expensive - but not as much as say loosing your entire market and going out of business.

What I think is missing from this report is how much of the lessons learned, or practices developed, for Compliance / Custodial Data Protection are reused for Secret Data. Inculcating things like Segregation of Duties, Auditing, Accounting and Need to Know / Access is valuable.

I prefer to use the "no compromising" need for compliance to groom and gain acceptance for methodologies and procedures guarding Secret Data. It's a great tool when you think about it, and as the study shows you are more likely going to get funding for a compliance regulation then you are guarding something that has "never been stolen before."

And really, isn't that the end-all of this? If no one has ever stolen something in the way you want to protect against, you are somewhat of a snake oil salesman when trying to make the claim that it is a risk.

Very few companies, even in this digital age, see their corporate secrets as being super important. Protection of Intellectual Property (IP) is seen as a defense of Trade Mark and Property rights. But that is normally only done for items that will enter the public market, not for example your well built proprietary system that allows you to produce something far cheaper and in a way never thought of by any of your competitors. With everything being digital, the very work you produce should be protected, but few stop to think about and protect the programs and tools developed to create that final product.

So I am not sure how much of this is in fact due to excessive focus on Compliance vs. no one is really out selling the idea that there is more to secure than just what the Government tells us we need to be securing.