Friday, September 17, 2010

Compliance Poll Analysis

A while ago, I did this quick poll on regulatory compliance – and here is the result analysis.
The “winners” are:
  1. “No brainer” winner: PCI DSS with 59% – it is indeed ‘forevah’
  2. ISO2700x is a surprising silver medalist with 36% (more than half of PCI?)
  3. ITIL holds an even-more-surprising 3rd spot with 19% – at nearly 1/2 of ISO again
  4. A bunch of supposedly “cool” regs share #4 spot with 12%-15%: FISMA, HIPAA, SOX
  5. …and the same percentage (15%) is held by “I don’t care about that compliance sh*t
Notable write-ins were:
  • NIST (in general, I guess beyond just FISMA)
  • Red Flag (financial)
  • CFATS (?)
  • PHIPA, MFIPPA  (?)
  • EU Data Privacy laws

What does it tell us? What can we hypothesize based on our totally unscientific compliance poll?
  • All this talk about PCI DSS impacting security at large is very real – now and likely in the near future. I might argue with Josh about whether the impact is positive or negative – but it is HUGE. It definitely goes way beyond retail and ecommerce.
  • ISO27001 came back to life somehow. That’s probably a good thing….
  • Not sure what the lesson from ITIL being #3 is – that folks from UK read my blog? :-)
  • Finally, I think the people who don’t care about compliance split into two opposite camps: people who don’t EVEN CARE ABOUT COMPLIANCE (much less security) and people who care about security and operational excellence which gives them compliance [not for free, mind you!] So, 19% covers both of these camps.
Any other thoughts?
Possible related posts:
  • All posts on polls and their analysis

Dr Anton Chuvakin