Compliance Poll Analysis

A while ago, I did this quick poll on regulatory compliance – and here is the result analysis.

The “winners” are:

1. “No brainer” winner: PCI DSS with 59% – it is indeed ‘forevah’
2. ISO2700x is a surprising silver medalist with 36% (more than half of PCI?)
3. ITIL holds an even-more-surprising 3rd spot with 19% – at nearly 1/2 of ISO again
4. A bunch of supposedly “cool” regs share #4 spot with 12%-15%: FISMA, HIPAA, SOX
5. …and the same percentage (15%) is held by “I don’t care about that compliance sh*t”

Notable write-ins were:

• NIST (in general, I guess beyond just FISMA)
• Red Flag (financial)
• CFATS (?)
• PHIPA, MFIPPA  (?)
• EU Data Privacy laws

What does it tell us? What can we hypothesize based on our totally unscientific compliance poll?

• All this talk about PCI DSS impacting security at large is very real – now and likely in the near future. I might argue with Josh about whether the impact is positive or negative – but it is HUGE. It definitely goes way beyond retail and ecommerce.
• ISO27001 came back to life somehow. That’s probably a good thing….
• Not sure what the lesson from ITIL being #3 is – that folks from UK read my blog? :-)
• Finally, I think the people who don’t care about compliance split into two opposite camps: people who don’t EVEN CARE ABOUT COMPLIANCE (much less security) and people who care about security and operational excellence which gives them compliance [not for free, mind you!] So, 19% covers both of these camps.

Any other thoughts?
Possible related posts:

• All posts on polls and their analysis