Not that I completely disagree with this, but article is riddled with yellow journalism, lack of understanding, and poor fact checking. PCI for example is payment industry self-regulatory body, and PCI-DSS is rare example of security regulation that went right. Another good example is FIPS, where government stepped in and provided a cryptographic standard.

In a lot of cases compliance is on IT equipment/product vendor to meet mandated procurement/contractual requirements. This process in not always about increased security, but claiming that we would be better off without it entirely is demonstrably wrong. Why? Because vendors know well that security is expensive, and they can get better return on investment from marketing or discounts. Consumers, even IT managers, are often not educated enough to know better.

Stating that IT managers are focusing on compliance is not incorrect, but that has little to do with the government regulation and a lot to do with liability analysis and infeasibility of "complete" protection. Unregulated breaches harder to litigate and will result in lower potential liability than ones that are regulated or covered by some standard so you can be demonstrated to be negligent.

Last edited by sini; 03/03/13 07:51 AM.
[Linked Image]