Some of you may have seen my story in yesterday's Sydney Morning Herald and Age newspapers, Compliance overload leads to complacency.

In the story, local security consultant Neal Wise recalls a client asking him to cripple the reporting features on one of his network devices. You see, every time the thing sent him a certain type of alert, he was required by regulations and standards to escalate and document the event. No thanks, he said, just cripple the feature.

Sure, it's just one anecdote, but it's telling. Standards and regulations should be about making security easier, not harder. The problem fusing risk management and technology is the risk people love complicated processes and paper trails, the nerds do not.

Quite often, policies the suits come up with make life really difficult down the line.

Good security policy will often limit the freedom of technology workers to make a judgement call on an event. They need to write up and document EVERYTHING before passing it up the line. This is clearly a major pain in the arse, and at the root of the type of push-back Wise described.

You're damned if you do and you're damned if you don't. If you give staff the freedom to make their own decisions, they could make mistakes that have disastrous consequences. ("I didn't think finding a root-kit on a production server meant I had to rebuild the whole thing!") And if you remove their freedom to do their job, quite often they'll just bury inconvenient truths. ("What root-kit? I didn't know about any root-kit!")

But there is a solution. Consult your HR department. Vet candidates. Don't worry so much about the shit-kickers, but make sure the person supervising them has a strong background in technology and risk management and is capable of managing a team. It might cost you a bit more to procure your talent, but these days regulations and compliance concerns means there is no alternative.

Otherwise, you could wind up with some moron in your IT department disabling your IDS because he doesn't like what it's telling him.

In other news, I've launched my first IT security podcast at ITRadio.com.au. The show's called Risky Business, and you can tune in here.