Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds

That is not really surprising. Regulations are (fairly) clearly
defined 'tick box' exercises. They avoid three difficult requirements:
identifying what is important and should be protected; identifying
what is an acceptable response; and persuading the executive it is

If you have a regulation (like PCI and HIPAA, for example) it defines
what should be protected and what is expected as a reasonable
response. The weight of the law, or a regulatory authority, that
defines fines and even makes CXOs personally responsible quickly gets

The best hope is that with a bit of innovative thinking infosec
professionals can implement a programme that covers various
regulations, finds synergy between them and properly protects valuable
assets. It should then be possible to cover other information assets
that are important to the organisation, but not covered by
regulations, at only incremental costs.

Personally I think the values created by Forrester are a bit suspect.
They don't give any information about the mix of industries and sizes
of the enterprises represented in the survey. My assumption is that
they are all Forrester customers. This means they are large and they
are extremely reliant on information and technology to run their

On 6 April 2010 07:23, Ivan . <ivanhec@xxxxxxxxx> wrote:
For those who don't frequent slashdot.......

"Enterprises are spending huge amounts of money on compliance programs
related to PCI-DSS, HIPAA and other regulations, but those funds may
be misdirected in light of the priorities of most information security
programs, a new study has found. A paper by Forrester Research,
commissioned by Microsoft and RSA, the security division of EMC, found
that even though corporate intellectual property comprises 62 percent
of a given company's data assets, most of the focus of their security
programs is on compliance with various regulations. The study found
that enterprise security managers know what their companies' true data
assets are, but find that their security programs are driven mainly by
compliance, rather than protection (PDF)."

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.;4175;25;1371;0;5;946;e13b6be442f727d1

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -