Perimeter
6/7/2012
10:57 AM
Connect Directly
RSS
E-Mail
50%
50%

The Truth Is Not Believable

Too many businesses don’t want to know about their compliance problems

If you are an IT professional, then you’ve likely faced battles to get necessary technical projects approved and funded. Compliance-related projects are frequently even harder to get approved because they may often be seen by management as delayable expenses with little to no return. Times are tough, money is tight, and compliance projects can wait until another day.

If you are a nontechnical business leader, then I think you might admit that all of these tech projects seem like never-ending, expensive magic -- maybe genuinely necessary magic for the business, but magic nonetheless that involves a good deal of uncertainty: Which projects are the most urgent? Are their cost estimates reliable? Oh, and that eternal question: Surely, you can find an adequate answer for less money, right?

At first glance, compliance with rules, regulations, and laws seems cumbersome, especially to newer organizations accustomed to growing quickly in today’s Web-driven economy. Anything that adds time, cost, and distraction is undesirable.

I was in a meeting recently with Carolyn Campbell, an officer for Human Resource Management, and she made a very interesting observation. She said her firm rarely loses compliance projects to another firm, but instead to inaction. Clients simply don’t do anything to address their problems, which begin with refusing to acknowledge the possibility of problems.

In other words, these companies simply keep not doing right whatever they were already not doing right and continue doing wrong whatever they were doing wrong before. In small and midsize businesses, this typically means having the HR duties (and related compliance issues) managed by an unprepared CFO or staff member.

By not hiring Carolyn or someone else who can really help them, these companies intentionally choose to be ignorant of their HR compliance risks, sometimes finding a false confidence in not knowing where the liabilities are and what action they will require. Ignorance apparently remains blissful for some. For these business leaders, as my friend Bill Thomas often says, “The truth is not believable.”

We find exactly the same issue with companies that have technical-related compliance programs. “How we’ve always done it” often trumps proper assessments and resolution action.

There can also be the challenge of, “We know we have issues, but we’ll deal with them when we have more time and money.” Occasionally, organizations follow through on this plan. More often, even when there is more money, there is rarely ever more time. And as a staff develops operational habits, they inherently develop procedural and security issues, then sometimes become a huge obstacle in overcoming these compliance problems.

Too many professionals, both technical and nontechnical, ignore compliance issues. They choose not to believe the truth, sometimes taking care to keep the truth as far away as possible. To seek and engage any truth, including the truth of compliance and security issues, can require painful steps. It takes a kind of courage not every businessperson has.

Glenn S. Phillips, the president of Forte' Incorporated, works with business leaders who want to leverage technology and address often hidden risks within. He is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish.

Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1032
Published: 2014-09-17
Cross-site scripting (XSS) vulnerability in the Euroling SiteSeeker module 3.x before 3.4.5 for EPiServer allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party inf...

CVE-2012-1417
Published: 2014-09-17
Multiple cross-site scripting (XSS) vulnerabilities in Local Phone book and Blacklist form in Yealink VOIP Phones allow remote authenticated users to inject arbitrary web script or HTML via the user field to cgi-bin/ConfigManApp.com.

CVE-2012-1506
Published: 2014-09-17
SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the hspSummaryId parameter to plugins/ajaxCalls/haltResumeHsp.php. NOTE: some of these details are obtained from th...

CVE-2012-1507
Published: 2014-09-17
Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3) uri parameter to index...

CVE-2012-2583
Published: 2014-09-17
Cross-site scripting (XSS) vulnerability in Mini Mail Dashboard Widget plugin 1.42 for WordPress allows remote attackers to inject arbitrary web script or HTML via the body of an email.

Best of the Web
Dark Reading Radio