Benjamin Wright’s comments on the ill-fated California AB 7799 Bill raise an important criticism about emerging compliance demands: they’re getting too prescriptive. This was a trend I pointed out last year. It’s because too many inexperienced standards-setters are now driving the agenda. The PCI Security Standard was an early indication of this trend. It’s typical of a standard drafted by industry specialists, not experienced regulators or standards professionals.
Experienced regulators and seasoned standards writers tend to avoid solution-focused requirements. Regulators strive to maintain a level playing field, and you can’t do that if you prescribe a solution based on the practices of individual organisations. Standards professionals also recognise that prescriptive solutions restrict innovation and don’t stand the test of time. Unfortunately these considerations are not widely appreciated. And we don’t have training courses for standards writers. But the stakes are getting higher. We need more standards for standards. Physician heal thyself.