In 2001 Enron collapsed under the weight of the massive fraud it had been engaged in. In 2002 Congress passed Sarbanes Oxley, a law that did virtually nothing to eliminate or even reduce corporate fraud (somehow the naïve belief that you can eradicate evil with legislation just won’t go away). What it did do is spread fear in executive offices. By 2004, CIOs were scrambling to become compliant with rules that, if they existed at all, were not at all clear (Kafka wrote about this dilemma a hundred years ago). And out came the fear mongers who conjured up the specter of jail time for executives, including chief information officers.
The Golden Goose of the Compliance Industry
As time passed, fear of noncompliance spread like wildfire through corporations. The resulting behavior was sometimes as bizarre and irrational as can be, in one word – Kafkaesque. I once was questioned by the board of directors of a Fortune 300 corporation about an audit finding considered serious enough by the auditor to be escalated to the highest level. Rules were indeed not followed to a tee, but there was zero probability this violation could have caused any damage. But fear of the unknown prevailed and I received a strong verbal reprimand.
In the following years many more regulations were issued by well-meaning bureaucrats who were, of course, assisted by the very consulting companies who would advise their clients how to comply with those regulations and also conduct audits to verify compliance. We are now at a point where compliance has become a core competency for companies in a number of industries. The total value, which may well be a large number with a minus sign in front of it, of all this activity has never been estimated.
Our Current System Values Compliance over Security
Enter the all too real threat of cybercrime which has become more and more relevant. One might assume that compliance with existing frameworks would take care of the cyber threat – not so. At best compliance and security overlap. I have heard CIOs state that they’d rather be compliant than secure. That is understandable – every year you are subject to at least one major audit the result of which is report card. If you pass, you get a pat on the back. If the report by the editors shows minor transgressions you get a slap on the wrist, but beware of the consequences of major findings!!!
Achieving compliance is not that hard. If you follow the rules, the auditor will give you a check mark for each of them and you walk away unscathed. Of course, if you have not quite followed all the rules, there are alternatives to avoid damage. Potemkin Villages have fooled rulers for centuries, and surely, a creative staff can create a similar effect to fool the auditors. But better yet, you develop a symbiotic relationship with your auditor who will give you a pass with a wink and a nod in order to maintain the steady income stream generated by subsequent audits.
Our Cybersecurity Depends on Knowing the Difference Between Security and Compliance
In the meantime, until there is a real cyber breach in your enterprise, you kick the security can down the road. The periodic penetration test proves only one thing – the company performing the test is simply not good enough to hack your system. Improving security can become a bottomless pit, and the end result will always fall short of perfection. Consequently, and since there is no certifiable end state for cybersecurity, CIOs are always tempted to concentrate their limited resources on compliance while keeping security efforts to a reasonable “best practices” minimum.
CIOs need to show a bit more courage and educate executive management and the board on the real threats to the corporation and our country. Believe me, Russian or Chinese intelligence operatives do not spend one second scheming about how to do damage to America by undermining our compliance efforts. A word of encouragement for CIOs willing to shift the balance a bit more in favor of doing the right thing: So far not a single CIO has gone to jail or has otherwise been severely punished by the SEC for noncompliance.