Perimeter
6/7/2012
10:57 AM
Connect Directly
RSS
E-Mail
50%
50%

The Truth Is Not Believable

Too many businesses don’t want to know about their compliance problems

If you are an IT professional, then you’ve likely faced battles to get necessary technical projects approved and funded. Compliance-related projects are frequently even harder to get approved because they may often be seen by management as delayable expenses with little to no return. Times are tough, money is tight, and compliance projects can wait until another day.

If you are a nontechnical business leader, then I think you might admit that all of these tech projects seem like never-ending, expensive magic -- maybe genuinely necessary magic for the business, but magic nonetheless that involves a good deal of uncertainty: Which projects are the most urgent? Are their cost estimates reliable? Oh, and that eternal question: Surely, you can find an adequate answer for less money, right?

At first glance, compliance with rules, regulations, and laws seems cumbersome, especially to newer organizations accustomed to growing quickly in today’s Web-driven economy. Anything that adds time, cost, and distraction is undesirable.

I was in a meeting recently with Carolyn Campbell, an officer for Human Resource Management, and she made a very interesting observation. She said her firm rarely loses compliance projects to another firm, but instead to inaction. Clients simply don’t do anything to address their problems, which begin with refusing to acknowledge the possibility of problems.

In other words, these companies simply keep not doing right whatever they were already not doing right and continue doing wrong whatever they were doing wrong before. In small and midsize businesses, this typically means having the HR duties (and related compliance issues) managed by an unprepared CFO or staff member.

By not hiring Carolyn or someone else who can really help them, these companies intentionally choose to be ignorant of their HR compliance risks, sometimes finding a false confidence in not knowing where the liabilities are and what action they will require. Ignorance apparently remains blissful for some. For these business leaders, as my friend Bill Thomas often says, “The truth is not believable.”

We find exactly the same issue with companies that have technical-related compliance programs. “How we’ve always done it” often trumps proper assessments and resolution action.

There can also be the challenge of, “We know we have issues, but we’ll deal with them when we have more time and money.” Occasionally, organizations follow through on this plan. More often, even when there is more money, there is rarely ever more time. And as a staff develops operational habits, they inherently develop procedural and security issues, then sometimes become a huge obstacle in overcoming these compliance problems.

Too many professionals, both technical and nontechnical, ignore compliance issues. They choose not to believe the truth, sometimes taking care to keep the truth as far away as possible. To seek and engage any truth, including the truth of compliance and security issues, can require painful steps. It takes a kind of courage not every businessperson has.

Glenn S. Phillips, the president of Forte' Incorporated, works with business leaders who want to leverage technology and address often hidden risks within. He is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish.

Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5700
Published: 2014-09-22
Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.2f allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/index.php or the (2) username or (3) password parameter in blocks/loginbox/loginbox.template.php to index.php. NOTE: some o...

CVE-2014-0484
Published: 2014-09-22
The Debian acpi-support package before 0.140-5+deb7u3 allows local users to gain privileges via vectors related to the "user's environment."

CVE-2014-2942
Published: 2014-09-22
Cobham Aviator 700D and 700E satellite terminals use an improper algorithm for PIN codes, which makes it easier for attackers to obtain a privileged terminal session by calculating the superuser code, and then leveraging physical access or terminal access to enter this code.

CVE-2014-3595
Published: 2014-09-22
Cross-site scripting (XSS) vulnerability in spacewalk-java 1.2.39, 1.7.54, and 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.4 through 5.6 allows remote attackers to inject arbitrary web script or HTML via a crafted request that is not properly handled when logging.

CVE-2014-3635
Published: 2014-09-22
Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows remote attackers to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one m...

Best of the Web
Dark Reading Radio