If you flipped thru my slides from the CSO Summit, you noticed slide #4 with a picture of a seatbelt. Why is it there?
That is why. This post really tied (for me) everything that happens in security today; and its essence is this quote:
"The state of Victoria in Australia made wearing safety belts compulsory in 1970. This is now almost universal practice. I don't know the exact statistics but a study done in South Africa found that more people used safety belts after it was made illegal to not use them than when it was left up to the driver.
The conclusion really is that people are more likely to obey a rule because it is law than because it may just save their life."
"I have seen a lot of complaints about PCI and SOX etc etc in the same way that people complain about "self protection" laws like safety belt laws."
If you see anything weird in today's "compliance-heavy" security industry, it is probably explained by this phenomenon.