Thu, May 29, 2008 — CIO — It was a dark and stormy day. Tornadoes had touched down within 100 miles of the bank's data center. The data center was at the top floor of a tall building. Phil Wherry, a consultant currently serving telecom and healthcare clients, had driven over to the bank that day—a few years ago—to do a gig as security auditor. Wherry got to the facility and started asking the IT people about disaster recovery. "I said, 'You've got this nice data center up on top of this building—what do you do if a tornado takes the roof up?' The guy said, 'We have a backup facility in New Jersey. We have all the equipment necessary to failover bank operations,'" Wherry recalled. OK, Wherry thought. Not bad. "We test it annually," the staffer said. OK, Wherry thought, You've done your homework. "One of these years we hope it works," the bank employee concluded.

You can laugh, but you probably won't if you're one of the many security staffers throughout the land who are subject both to the whims of badly written regulatory compliance rules and to the tyrants—a.k.a. auditors—who have the power to enforce them, often at the expense of actually securing anything at all, as well as at the expense of security budgets that could actually secure something. [Also read Your Guide To Good-Enough Compliance.]

In this case, there was an audit requirement that the bank—which Wherry declined to identify—have an annual failover test. Unfortunately, the requirement didn't require the failover to succeed or that it had to be remediated if it failed. So that's what the bank was doing: testing and hoping it would work. . .someday. [Also read Compliance, Convergence and How IT Fits.]

In the security field, these are the people causing the most damage for CIOs: the "security and compliance people who have no real knowledge about what's needed," says Alan Paller, director of the SANS Institute.

The problem isn't limited to failover tests that don't require success. The problem also encompasses, for example, wasting money on purchasing consultants to write reports that collect dust on a shelf or other budget blunders, Paller says. "You take money out of the budget to buy a report that no one will read because some compliance guy says you have to," he says.

The disconnect between regulations and security has even caught the attention of Capitol Hill. One example: Fisma (Federal Information Security Management Act) compliance is up. The Office of Management and Budget reported that in 2007, 92 percent of information systems were certified and accredited, 86 percent of agencies had a tested contingency plan and 95 percent had tested security controls. The appropriate response: something along the lines of "whoopty do."