Compliance: The Bar Is Low

In the previous post, we talked about how security is essential and even foundational. However, what ends up driving security is unfortunately … compliance.

It is unfortunate that it takes an ombudsman to drive people to do things that is otherwise quite essential. However, the bigger disappointment is that the bar it creates is … low.

There are good reasons why compliance cannot be leading edge. Policy and regulation often trails technology, and they are mostly playing catch up. However, in some cases, the technology needed for compliance might be unclear or even hard to build or predict, so compliance can even be leading technology sometimes. Yet, given they don’t know what is achievable – that also results in a lowish bar. With all these limitations, compliance ends up being the least common denominator, or a bucket list to check in order to satisfy the powers that be, instead of being the gold standard for best behavior.

If compliance actually worked, there would be no breaches. Fact is that most people will claim compliance, and yet there are security problems all around. Compliance is necessary to nudge people in the right direction, but it is not an end in itself.

Like mentioned in the previous post, security should be seen as a strategic advantage that unlocks an organisation’s potential to fearlessly innovate, leveraging the right data needed to get the job done. It is unfortunate that the same security ends up being a drag on innovation and a curse for everyone involved. It is like many draconian laws that get passed in the name of terrorism – the terrorists are still able to do what they need to do, but the common (wo)man suffers.

It’s time to get security to its rightful place, and not be compliance driven. If fundamentally right things are done, compliance will come. And when many people do the right thing, it will not even be necessary to force people to be compliant. Let the market shame the bad actors and decide who will survive and who will perish – should they follow poor practices. Security is just common sense and about doing good business.