Security purgatory for the regulatory afflicted
To put it in simple terms I feel sorry for many businesses, especially start-up and small, which must conform to the computer and network security demands listed in some regulations. We're doing policy work for a young startup; their IT staff consists of a few developers and one outside contractor. They have been damned, err, deemed a Service Provider Level 1 entity by Visa’s CISP program. That means they'll have to spend lots of money on high maintenance activities which are usually reserved for much larger organizations.
I’m all for best practices and doing things right, but the cost of playing and doing business in this context is skyrocketing. If I had a good business idea, I likely would feel very depressed when realizing I must combine the risks of trying something new with the enormous costs of meeting regulatory requirements. For me, the motivation to operate securely is already there – if you fail, your company will suffer damage or be shut down. Like with all things that go this way, we get less market choices and more expensive services.
