Compliance Demands Are Getting Too Prescriptive

Benjamin Wright’s comments on the ill-fated California AB 7799 Bill raise an important criticism about emerging compliance demands: they’re getting too prescriptive. This was a trend I pointed out last year. It’s because too many inexperienced standards-setters are now driving the agenda. The PCI Security Standard was an early indication of this trend. It’s typical of a standard drafted by industry specialists, not experienced regulators or standards professionals.

Experienced regulators and seasoned standards writers tend to avoid solution-focused requirements. Regulators strive to maintain a level playing field, and you can’t do that if you prescribe a solution based on the practices of individual organisations. Standards professionals also recognise that prescriptive solutions restrict innovation and don’t stand the test of time. Unfortunately these considerations are not widely appreciated. And we don’t have training courses for standards writers. But the stakes are getting higher. We need more standards for standards. Physician heal thyself.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

If people had followed the "best practice" guidance available from early on, and listened to those who did know and had the requisite experience in the first place, then we wouldn't be in a position that appears to require prescription. Invariably, we have ended up with woolly attempts at "compliance" -given that your version of it and mine may be two different things, depending on our perspectives and our business processes. Without at least an element of prescription, it is too risky to simply "trust" and hope that all is well, given the current environment of managing constantly growing values and quantities of information.
Being compliant against a perscriptive immature standard does not equate to managing the risk. Moreover, compliance against immature standards may actually be undermining efforts to manage risk and working against the best interests of organisations and their owners.