I used to be a Certified Public Accountant (CPA) before I learned that computers and computer security were a better fit. Still, you would think that earning a college accounting degree, working at a CPA firm, and passing one of the hardest professional exams in the world would enable me to do my own taxes. But I'm too scared. The tax code is full of thousands of ever changing laws. There are exceptions to every exception. Believe me, when Congress passes a tax simplification act, CPA firms cheer. That means yet another year when taxes will be treated differently than all of the prior years.
There are so many tax laws that not even dedicated tax professionals, including IRS employees, can get it right. Each year around April 15, U.S. newspapers are loaded with stories of how frontline IRS tax agents could not correctly answer simple tax questions. Who can blame them? Have you seen the size and complexity of the tax code? Exactly how many different laws can one person be expected to know, understand, and enforce with any efficiency?
Many companies have a similar problem with information security. I've consulted with a number of clients, all with good, intelligent, well-trained security teams, who are struggling to secure a growing number of security domains, each with a different set of increasing security requirements.
The challenge was recently epitomized when one of these clients stated, "I've got 186 different (internal and external) customers with 186 different sets of security requirements."
I sat back stunned. I could not imagine a more impossible scenario short of simply increasing the number. Unless you have a dedicated person or team per set of security requirements, you have no chance of addressing them. It's impossible to make customized, personalized guarantees on such a scale.