So, yes, seatbelts. One of my favorite compliance metaphors lately, which I have considered infallible (and used everywhere). After all, everybody knows that seatbelts save lives and there is plenty of reliable evidence of that, coming from DoT / NHTSA studies (this one, BTW, is worth a skim for the infosec crowd, for sure), etc. So, we all know that….
However, the other day I was in Russia, traveling to Lake Baikal in particular (long story, but it has to do with my wife’s love of exotic locations, both tropical and permafrost-bound)
Given that it was still winter and given that roads in Russia are …mmm…. not, most locals simply drive on the ice of a lake – it is way smoother, shorter and faster than “doing the road thing.” Besides, that is the only way to reach some lake islands in winter (bonus question for advanced readers: how do the locals get to those islands when the lake is already frozen [no boats], but the ice is too thin for cars or already broken down [no cars]? Answer)
In any case, we got into a car and I started to fasten the seatbelt. At that very moment, the driver looked at me funny and said something along the lines of “Wow, having suicidal thoughts lately, aren’t you?”
And at that moment, risk collided with compliance in my head. Boom! I was one of one of those rare environments where your risk model is completely different (from the one regulators imply when building the regulations) and traditional compliance rules just don’t apply. By the way, even traffic police there will never fine you for “driving on the lake with seatbelts off.”
Well, all others must go do PCI compliance