You can laugh, but you probably won't if you're one of the many security staffers throughout the land who are subject both to the whims of badly written regulatory compliance rules and to the tyrants—a.k.a. auditors—who have the power to enforce them, often at the expense of actually securing anything at all, as well as at the expense of security budgets that could actually secure something. [Also read Your Guide To Good-Enough Compliance.]

In this case, there was an audit requirement that the bank—which Wherry declined to identify—have an annual failover test. Unfortunately, the requirement didn't require the failover to succeed or that it had to be remediated if it failed. So that's what the bank was doing: testing and hoping it would work. . .someday. [Also read Compliance, Convergence and How IT Fits.]

In the security field, these are the people causing the most damage for CIOs: the "security and compliance people who have no real knowledge about what's needed," says Alan Paller, director of the SANS Institute.

The problem isn't limited to failover tests that don't require success. The problem also encompasses, for example, wasting money on purchasing consultants to write reports that collect dust on a shelf or other budget blunders, Paller says. "You take money out of the budget to buy a report that no one will read because some compliance guy says you have to," he says.

The disconnect between regulations and security has even caught the attention of Capitol Hill. One example: Fisma (Federal Information Security Management Act) compliance is up. The Office of Management and Budget reported that in 2007, 92 percent of information systems were certified and accredited, 86 percent of agencies had a tested contingency plan and 95 percent had tested security controls. The appropriate response: something along the lines of "whoopty do."