« Rote Based Access Control | Main | Building a Security Architecture Blueprint »



This is the problem with current "compliance by audit of controls" approach.

Govt sees risk to consumer.

Govt tells corporation "build/buy more controls".

Corp. sees new, higher level of Probable Loss in Risk.

Corp seeks to reduce new risk. Can either ignore risk (not an option with gov't compliance), mitigate risk (which means more cash for a cost center - a bad thing) or transfer (which costs nothing and reduces risk). Hmmmmm.... who wonders which one they'll choose?

Crop creates a mitigate & transfer solution (mitigate an minimum to provide due diligence).

Consumer now has risk transfered to them. Hooray!

If the gov't really wanted to reduce risk to the consumer,they'd focus not on "prevent" but on "detect and respond" on behalf of consumers,with cash penalties paid *quickly*.

This would force the Corp to focus more on "prevention".

The comments to this entry are closed.