Are we at risk of looking away and missing the action? Legal and regulatory pressure is risking turning security into a tick-box exercise. Boards rely on security professionals to deliver on corporate issues such as compliance without forgetting the underlying risks. Changes such as the European Commission proposals on Data Protection will only increase the focus on regulatory risk. From a security standpoint, it’s the wrong focus.
If we’re actually going to reduce data loss incidents we need to change the way people behave. That’s about convincing directors that security isn’t just a compliance issue, which will be hard to do when compliance is the easiest way to build a business case for investment. It also means getting beyond ‘tick box’ awareness exercises and influencing corporate culture in order to embed security into the way staff think on the job.
A shame then that so much of the current focus is on legislation.