Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds

[Valdis.Kletnieks () vt edu]

On Wed, 21 Apr 2010 14:44:35 PDT, Mike Hale said:

> According to the paper, roughly 40% is spend on directly securing
> secrets, and another 40% is spent on compliance of some type.  They
> further suggest that half of this compliance spending is spent on
> internal compliance, and half on regulatory/external compliance.

> I find the findings completely flawed.  Am I missing something?

My reading of it is "we spent 40% actually securing it, and an equal amount
on total bullshit paperwork and checkbox-checking to "prove" we secured it,
and the paperwork and checkboxes didn't do anything to directly secure the
data".  Consider - if you spend a week talking to the auditors, that's a
week's salary spent on talking to auditors that didn't actually do squat for
the security.

Similar to if you had to get a yearly safety inspection on your car, and
you had to pay $20 to the mechanic to do the inspection (which will hopefully
actually verify your car meets the legal standards if your mechanic is honest),
but then had to spend another $20 to file the paperwork with the local
Dept of Motor Vehicles to make it official.

Attachment: _bin
Description: