Nothing to get the security versus compliance discussion going than bringing up the famous Titanic disaster in a recent article titled “A History Lesson: Compliance v. Risk and a False Sense of Security”… The author, Greg Boudah, even discusses how NIST’s RMF and the older C&A processes play into this. But even if everything looks great on paper (i.e., the “RMS Titanic was the largest and most compliant ship of its time”), that “compliancy” only provided a false sense of security (i.e., complacency) that ultimately led to its fate.
If an organization scores high, then a false sense of security manifests. “If I have a low risk score and I’m fully compliant with patching and polices, then I shouldn’t be held liable if/when something goes wrong.” This is termed the “Cover Your A$$” strategy. As an example is a history lesson–the RMS Titanic was the largest and most compliant ship of its time. We all know what happened. Tragedy.
Titanic had advanced safety features such as watertight compartments and remote activated watertight doors. Though there weren’t enough lifeboats to accommodate all of those aboard due to the maritime safety regulations of the day, it didn’t matter much to passengers because Titanic was thought to be “unsinkable.” The ship received a series of warnings of drifting ice in the area, but continued to steam at full speed, standard practice at the time. It was generally believed that ice posed little to no danger to large vessels if they were compliant with safety standards. Risks were considered to be low because the compliance was high.
Read the full article here.
Today’s post pic is from Abisaab.Wordpress.com.