Perimeter
6/7/2012
10:57 AM
50%
50%

The Truth Is Not Believable

Too many businesses don’t want to know about their compliance problems

If you are an IT professional, then you’ve likely faced battles to get necessary technical projects approved and funded. Compliance-related projects are frequently even harder to get approved because they may often be seen by management as delayable expenses with little to no return. Times are tough, money is tight, and compliance projects can wait until another day.

If you are a nontechnical business leader, then I think you might admit that all of these tech projects seem like never-ending, expensive magic -- maybe genuinely necessary magic for the business, but magic nonetheless that involves a good deal of uncertainty: Which projects are the most urgent? Are their cost estimates reliable? Oh, and that eternal question: Surely, you can find an adequate answer for less money, right?

At first glance, compliance with rules, regulations, and laws seems cumbersome, especially to newer organizations accustomed to growing quickly in today’s Web-driven economy. Anything that adds time, cost, and distraction is undesirable.

I was in a meeting recently with Carolyn Campbell, an officer for Human Resource Management, and she made a very interesting observation. She said her firm rarely loses compliance projects to another firm, but instead to inaction. Clients simply don’t do anything to address their problems, which begin with refusing to acknowledge the possibility of problems.

In other words, these companies simply keep not doing right whatever they were already not doing right and continue doing wrong whatever they were doing wrong before. In small and midsize businesses, this typically means having the HR duties (and related compliance issues) managed by an unprepared CFO or staff member.

By not hiring Carolyn or someone else who can really help them, these companies intentionally choose to be ignorant of their HR compliance risks, sometimes finding a false confidence in not knowing where the liabilities are and what action they will require. Ignorance apparently remains blissful for some. For these business leaders, as my friend Bill Thomas often says, “The truth is not believable.”

We find exactly the same issue with companies that have technical-related compliance programs. “How we’ve always done it” often trumps proper assessments and resolution action.

There can also be the challenge of, “We know we have issues, but we’ll deal with them when we have more time and money.” Occasionally, organizations follow through on this plan. More often, even when there is more money, there is rarely ever more time. And as a staff develops operational habits, they inherently develop procedural and security issues, then sometimes become a huge obstacle in overcoming these compliance problems.

Too many professionals, both technical and nontechnical, ignore compliance issues. They choose not to believe the truth, sometimes taking care to keep the truth as far away as possible. To seek and engage any truth, including the truth of compliance and security issues, can require painful steps. It takes a kind of courage not every businessperson has.

Glenn S. Phillips, the president of Forte' Incorporated, works with business leaders who want to leverage technology and address often hidden risks within. He is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish.

Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4632
Published: 2015-01-31
VMware vSphere Data Protection (VDP) 5.1, 5.5 before 5.5.9, and 5.8 before 5.8.1 does not properly verify X.509 certificates from vCenter Server SSL servers, which allows man-in-the-middle attackers to spoof servers, and bypass intended backup and restore access restrictions, via a crafted certifica...

CVE-2014-7287
Published: 2015-01-31
The key-management component in Symantec PGP Universal Server and Encryption Management Server before 3.3.2 MP7 allows remote attackers to trigger unintended content in outbound e-mail messages via a crafted key UID value in an inbound e-mail message, as demonstrated by the outbound Subject header.

CVE-2014-7288
Published: 2015-01-31
Symantec PGP Universal Server and Encryption Management Server before 3.3.2 MP7 allow remote authenticated administrators to execute arbitrary shell commands via a crafted command line in a database-backup restore action.

CVE-2014-8266
Published: 2015-01-31
Multiple cross-site scripting (XSS) vulnerabilities in the note-creation page in QPR Portal 2014.1.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) title or (2) body field.

CVE-2014-8267
Published: 2015-01-31
Cross-site scripting (XSS) vulnerability in QPR Portal 2014.1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the RID parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.