Naked CIO: We must halt the creep of phony IT compliance

IT is being made to pay extra charges on the pretext of due process and governance

From questionable insurance to cash-grab fees, we're being saddled with more and more obscure and spurious charges disguised as proper practice, says the Naked CIO.

The CFO approached me a couple of days ago and asked me to review an amendment to our company insurance policy, which he said we had to make. Not knowing exactly what he meant, I agreed and said I would be happy to offer any help I could.

Back at my desk, I received an email explaining that the amendment in question was called cyber threat liability insurance. I almost fell off my chair. As I read through the aspects of the policy that related to privacy and damages resulting from a website or web presence, I remained dumbfounded.

In most modern organisations that have compliance policies and conform to regulation, there is no segregation between security and compliance on a website or any system. There is a responsibility to ensure data privacy, security and threat provisioning and vulnerability mitigation.

That is basic IT Management 101. I honestly thought this policy was a joke because in my 20 years in IT management I had never seen anything like it.

Limiting liability and exposure
However, after checking I found out that we had a business arrangement with an US-based company to collaborate on a website initiative. Ah yes, American. To limit its liability, the company in question needed us - indeed compelled us - to take out cyber threat liability insurance.

It wasn't expensive but in my view still absolutely useless both in terms of what it tries to protect and what it doesn't cover. It just lays bare what is becoming a disturbing trend in the IT world: more and more obscure and dubious charges relating to standard IT operations under the guise of proper practice.

These companies, programs and the fees and charges they apply seem to me to be a cash grab without intrinsic benefit. The extra charges are concealed behind a veil of due process, compliance and governance and as such are rarely questioned. In most cases they are unilaterally enforced as a requirement.

money coins

Extra charges are being dressed up as proper practice
(Photo credit: Shutterstock)

Meddling governments and institutions
As more governments and other institutions meddle in what they believe to be best practice, the cost - essentially a covert tax - gets passed on to organisations trying their utmost to keep spending under control and good people in jobs.

It is a sad and concerning portrait of our IT world that we are governed in such a way and that commonsense practice and basic safeguards on data and systems have become such a costly and complex part of our world.

Data privacy and indeed the security of modern enterprises are key priorities for all senior IT professionals, but these issues are overshadowed by an overreaching, over-costly and overbearing system of audits, compliance and liability reduction, which is over the top. It affects the ability of IT to be successful in the eyes of the business it represents.

We need more transparent and manageable governance standards to be applied. We also need to stand up for reason in the face of silly cash-grab insurance policies, such as cyber threat liability insurance, and the organisations that push this ridiculous scaremongering.