Posted on February 1st, 2009 by Drazen Drazic
I talked in a previous post about PCI DSS vs. regulatory requirements in some countries, (in some industries). Thought I would expand a bit more on the topic of “regulation”.
In many posts here, I’ve talked about the benefits of regulation (done right) being a big driver for better IT security practices. I was interviewed by Computerworld on this topic about 6 years ago and a representative from the Attorney-General’s Department disagreed with me, and suggested that “new standards” they were going to develop, (that showed businesses how to do things better), were sufficient, and no regulation was required. Gees, even then, we had plenty of “good practice” standards – we didn’t need more of them! (side note: none did come out from the AGD anyway that I am aware of). We need(ed) someone to say, you MUST be doing this. You have an obligation to your business, your employees, your shareholders, your business partners, the business community and society in general!
I still believe that, and I disagree with arguments that the “market” should drive this. WTF does “the market” actually mean? When has “the market” done anything of substance to improve IT security practices in the last 15 years? We’re not going forwards, so how is “the market” going to now dictate and improve this? Magic? Open to your comments as usual. Read on. I’ve added a section from a talk I had with with David Rice about regulation. I liked his thoughts on this:
Read the rest of this entry »
Posted in PCI, PCI DSS, Risk Management, cyber crime, governance | 1 Comment »
– with clients and within ourselves. It is taking us backwards! Arghh!!!
