Most companies also consider regulatory compliance as somehow separate from their organizational governance and quality assurance effort, and fund entire projects to prepare for external audit. They fail to recognize compliance as process, not a project--that must be sustainable, and that it can often be addressed internally by simply enhancing exsiting risk management and quality assurance programs, and by leveraging existing resources.

The trend toward increasing information security threats and regulatory compliance has spawned a whole new technology industry, and a whole new, costly consulting practice based on fear and disinformation. While new skills, tools and techniques may be required to meet these threats and requirements, it makes little sense to option these until after a company has fully explored existing controls and human resources in which they have already invested.

The bottom line is:

Executives and professionals can apply common sense to guide them to the right decisions concerning just how much their business depends on bullet-proof security, just how much to invest in commercial security solutions, and--most importantly--just how much costly security solutions differ from the solutions and processes already available in their quality assurance, risk management and business continuity programs.