Compliance with information security regulations is supposed to be, as the most recent iteration of the PCI DSS (Payment Card Industry Data Security Standard) puts it, "business as usual."
But many organizations feel like they are drowning in such a sea of regulations that constant compliance with them all doesn't give them much time to run their usual business.
Indeed the number of compliance frameworks, most aimed at specific industries but sometimes overlapping, amount to an alphabet soup that could make an IT manager's eyes glaze over before even starting to look at the fine print.
The best known, because it affects credit card security (and there have been so many high-profile breaches in the retail sector), is the PCI DSS. But the list goes on ... and on.
There is SOX (Sarbanes Oxley), aimed at protecting investors from accounting fraud; HIPAA (Health Insurance Portability and Accountability Act) to protect personally identifiable information (PII) within healthcare; NIST (National Institute of Standards and Technology), overseeing industry; NERC (North American Electric Reliability Corporation) for energy suppliers; FISMA (Federal Information Security Management Act), which applies to federal agencies; FACTA (Fair and Accurate Credit Transaction Act), aimed at protecting against identity theft; ISO 27K, which provides best-practice recommendations on information security management; and more.
To the surprise of no one in the industry, a lot of organizations aren't keeping up.
Verizon's "2015 Compliance and Security Report," released earlier this month, did report some good news -- that compliance rates between audits increased by an average of 18% across 11 of the 12 requirements.
But in a number of cases, it meant starting from a very low bar. The percentage of companies validated as compliant in their interim reports increased 9%, but that improvement raised it to only 20%.
Other surveys showed similar gaps between goals and reality. A DataMotion survey found that about three-quarters of the respondents said their employees occasionally violate their compliance and security policies, many of them doing so knowingly so they can get their jobs done.
Another survey, by Proficio, found only 43% of respondents saying they met PCI DSS 3.0 standards when they became mandatory on Jan. 1, although 90 percent believed they would be compliant within six months.
Why the gap? Some call it compliance fatigue. According to Craig Isaacs, CEO of Unified Compliance Framework, "compliance is already out of control, and we expect security regulations and standards to become increasingly stringent in the year ahead. Most organizations have no idea what is actually required of them because they have no way of seeing all the requirements at once," he said.
Rich Mogull, analyst and CEO at Securosis, says this is nothing new. "It's been this way for at least 10 years, maybe longer," he said. "People have been grumbling about it since SOX hit (in 2002), and some CISOs spend 30% or more of their time dealing with compliance issues."
Sign up for CIO Asia eNewsletters.