Disarming the internal voice
Posted by aogFriday, 09 January 2004 at 07:56 TrackBack Ping URL

As you may know, I work in network security management. I’ve been off at a summit discussing the future of the product. While listening to our chief marketing guy talk about future requirements, he said something I found astounding. Paraphrasing, the gist was that our corporate customers cannot comply with their reporting and auditing requirements. There are so many and they are so detailed that compliance is apparently no longer possible. The point for us is that any auditing done by our software should be designed with this fact in mind and so, rather than verifying compliance should be able to document the level of failure to comply.

Further, it seems that this situation is known to the regulating agencies and the requirement is now not actual compliance, but “improvemnt” over time (which is where our reports can contribute). It’s the “no child left behind” theory of corporate regulation. One is left to wonder if we shouldn’t be trying for a set of regulations that is actually possible to obey. The answer, of course, is that it’s best for the regulators if everyone is guilty of something. Then when bad things happen, there is a nice selection of the usual suspects to pin the blame on, all of them disarmed because they are in violation of some regulation.

In another sense, it’s cargo cult regulation. Some good company is observed to perform some action. Therefore if every company is required to do that, they will be good companies. In fact, this kind of regulatory environment, with endless obscure rules and universal compliance failure, is perfect for the sophisticated con men. Not only does it provide a thicket of procedures to hide in, but it distracts everyone into watching the forms without time to worry about the results. All that good corporate governance in Europe let Parmalat get by with shady accounting longer than any American company. It seems like there’s a lesson there somewhere.

Comments — Formatting by Textile
Anon Thursday, 15 January 2004 at 06:43

“our corporate customers cannot comply with their reporting and auditing requirements.”

This is so true.

I work in networks too, and every year I get sent a questionnaire by central auditing. It always contains a question like “Do you regularly monitor your audit logs to search for [some bad event or other]?”

If you answer No (being truthful) and go on to explain why it is impossible - like for instance, the log is a squillion pages long, unsearchable free-form text, and doesn’t log [super-bad event] anyway - then they nag you to death demanding to know when you are going to start, never mind that it’s impossible etc etc.

Whereas if you answer Yes (lying) you never hear any more about it.

So guess which answer they get?

What purpose is served by this? The one you mention, I imagine - if anything goes wrong I can be screwed. Well, I will be anyway, so who cares.

vbc Thursday, 15 January 2004 at 15:38

You say that it seems like there is a lesson in there somewhere. There is, and it was formulated nicely by the ancient Roman, Cicero:

Excessive law is no law.

Trackbacks
Tracked from 'Nother Solent: Cargo cult regulation on 15 January 2004 at 20:46

. On a more serious note, this post about regulation by Thought Mesh contains a whole bundle of profound truths. ... the gist was that our corporate customers cannot comply with their reporting and auditing requirements. There are so many...

Tracked from Samizdata.net: Excessive law is no law on 16 January 2004 at 11:43

Natalie Solent links to this posting at Thought Mesh, about the realities of regulation. Thought Mesh seems to be US based, but the message is universal: As you may know, I work in network security management. Iíve been off at a summit discussing the f...

Tracked from shonk::selling waves: A Department of Anarchy on 16 January 2004 at 16:16

From TM Lutas’ proposal for a Department of Anarchy : There is now no real institutional constituency in government for less government. There should be. Nice sentiment, especially given the reality of regulation with which it is impossible to co...

Tracked from White Rose: How excessive regulation leads to arbitrary government on 16 January 2004 at 16:37

I've just done a posting at Samizdata about the phenomenon of excessive regulation, so excessive that even if an organisation...

End of Discussion