In her column, The Agency Insider, Linda McGlasson writes in a post
GLBA and Security Avoidance Questions - Why Are We Not Surprised? about GLBA compliance.
Thee post is about her dismay when hearing "What is the bare minimum we can do and still operate as a business?" from many large banks. She goes as far as saying that hearing that is "the number one sign that there is something wrong with the approach many financial services companies are taking on GLBA."
Okay, granted on the surface, this statement does appear to be like sloppiness, cheapness, and/or general dereliction of duty.
But wait, let's unpack this:
Is she saying that banks should spend MORE than necessary on GLBA compliance?
Does spending more on GLBA compliance entail better security?
Audit checklists and industry regs usually do not always entail improved risk management. But hey, for argument's sake, let's just assume GLBA Compliance = adequate security.
Now, let's restate and clarify:
"What is the bare minimum amount of risk management we can do and still operate as a business?"
But what's wrong with adequate (or minimum amount). It's that tipping point where it becomes too costly to protect an asset than to lose it. That's risk management and just plain dollars and sense.
Okay, but what is that bare minimum? How do you know what that is?
Wouldn't knowing what the minimum amount of risk management needed imply a thorough examination of risk and the value of the protected services and assets?
So to truly make that statement, banks will have be doing some pretty darned good risk assessment.
And to choose the bare minimum, means they are making an informed decision about the tradeoff between business value and risk mitigation.
The only problem I see with all of this is banks should not be asking their auditors "what is the bare minimum I need to do?"
They should be asking their security people.
And they should be answering in a manner that makes sense to someone who's job it is to choose how money is spent for the overall good of the organization.