20 Mar 2008

Information Security, Governance, Compliance and Safety Belts

The state of Victoria in Australia made wearing safety belts compulsory in 1970. This is now almost universal practice.

I don't know the exact statistics but a study done in South Africa found that more people used safety belts after it was made illegal to not use them than when it was left up to the driver.

The conclusion really is that people are more likely to obey a rule because it is law than because it may just save their life.

I think that the same is true with Information Security. It won't (necessarily) save your life but it is good practice. And yet companies are only doing it because it is now law.

The problem with this is that it is not accepted by people in their hearts. I know of people who drive around without their belts on and put them half on when they see a traffic cop.

The Information Security equivalent is jacking up your InfoSec program when the auditors come to visit and letting it slide when they are not around. Or making sure that they don't see some issues that you are well aware of.

I have seen a lot of complaints about PCI and SOX etc etc in the same way that people complain about "self protection" laws like safety belt laws. The thing is that the government is stepping in only because people are very bad at self regulation. Really, what a number of InfoSec experts are trying to promote is - understand why you need to protect yourself, understand how and abide by it. Do it for your company, not because the government demands it.

That way, not only will you be "compliant" and full of "good governance" but more importantly - your company will be safe.

The state of Victoria in Australia made wearing safety belts compulsory in 1970. This is now almost universal practice.

I don't know the exact statistics but a study done in South Africa found that more people used safety belts after it was made illegal to not use them than when it was left up to the driver.

The conclusion really is that people are more likely to obey a rule because it is law than because it may just save their life.

I think that the same is true with Information Security. It won't (necessarily) save your life but it is good practice. And yet companies are only doing it because it is now law.

The problem with this is that it is not accepted by people in their hearts. I know of people who drive around without their belts on and put them half on when they see a traffic cop.

The Information Security equivalent is jacking up your InfoSec program when the auditors come to visit and letting it slide when they are not around. Or making sure that they don't see some issues that you are well aware of.

I have seen a lot of complaints about PCI and SOX etc etc in the same way that people complain about "self protection" laws like safety belt laws. The thing is that the government is stepping in only because people are very bad at self regulation. Really, what a number of InfoSec experts are trying to promote is - understand why you need to protect yourself, understand how and abide by it. Do it for your company, not because the government demands it.

That way, not only will you be "compliant" and full of "good governance" but more importantly - your company will be safe.