Engagement vs. Compliance
Compliance is often necessary and in certain circumstances it is required. This article isn’t trying to imply otherwise, or trying solve the complex compliance and regulatory debate on every issue. This article is about the power of words and the fact that how you say something definitely matters. It encourages thinking and approaching things related to Information Security differently.
The word compliance has all kinds of negative connotations that can by its very nature turn people off from doing the very thing that the word attempts to accomplish.
The definition of compliance according to Dictionary.com (paraphrased)
1. “The act of conforming.” 2. “Yield especially in a weak and subservient way. “
3. “Conformity”
Daniel Pink, in his book “Drive, the surprising truth about what motivates us” touches on this simple yet amazing phenomenon. Many of these ideas in this article are gleamed from this book, which is highly recommended reading. See this article for a brief explanation. http://enviableworkplace.com/motivation-3-0-%E2%80%93-from-compliance-to-engagement/
Pink’s research found that “50% of employees are not engaged at work and 20% are actively disengaged and the cost of all this disengagement amounts to about $300 billion a year in lost productivity.” Why build an Information Security program around a word that by it’s own definition, encourages disengagement. People will do the bare minimum and will be disengaged. Productivity will have a strong potential to decrease using this approach. I believe the engagement approach will not only allow all the compliance requirements to be met, but will create a much more secure environment. I also believe it will actually “motivate” staff to be more excited about integrating security measures into their day to day activities and responsibilities, which will benefit the organization greatly, saving time and money.
Another important point is PCI Compliance alone doesn’t equal security. Organizations “like 7Eleven, Hannaford Brothers and Heartland Payment Systems all experienced breaches, while they were PCI compliant but they still had a huge SQL injection vulnerability that was exploited by the attacker to gain access to over 130 million credit cards.”
This is evidence that compliance doesn’t necessarily equal good security. While that is the reality, it is still often required and necessary to do. As Security Professionals, we have to be careful not to ignore regulatory compliance all together as it is not going away anytime soon and it would be irresponsible to ignore it. If anything it is getting more prevalent in all sectors across the board, even including the non-profit organization. The problem is making compliance the ultimate goal. The goal should be “engagement of all stake holders” to “own” their part and see the benefit of following through on and embracing security initiatives because it will ultimately benefit them and the organization.
This model has a greater potential to exceed compliance requirements, will cost less, will enhance the business and will increase security at the same time.
