Time spent on compliance might be better spent actually doing something about security.
You want perfect data security? Dream on.
The need to protect corporate and personal information from unauthorized and possibly nefarious eyes was front and center this week at the MIT Sloan CIO Symposium in Cambridge, Mass.. But experts failed to agree about whether the forces of good are prevailing against the bad guys or even whether breaches are increasing—or are just more public than in the past.
There was consensus among C-level executives, however, that the hassle of complying with regulations actually diverts resources that could be better spent bolstering security.
Regulations with a security component include broad measures like the Sarbanes-Oxley Act governing corporate financial disclosures and Payment Card Industry rules for credit card transactions. But there are also a raft of mandates targeting specific industries. Examples include the Health Insurance Portability and Accountability Act or HIPAA covering health and medical information and the Federal Information Security Management Act that protects federal data and assets from “man-made threats.”
Add to that a welter of regulations from various states and foreign jurisdictions and you can see how the workload might get out of hand.
“Our security people spend 60% of their time optimizing documentation and 40% of their time doing the work,” said Anthony Christie, chief marketing officer for Level 3 Communications lvlt , the big telecommunications company.
Niraj Jetly, chief information officer of NutriSavings, agreed.
Companies like NutriSavings, which works with businesses to encourage healthy diets for employees, rely on customers sharing data. But constant talk about breaches damages the trust consumers have in that process, Jetly said. “We have to stop these breaches but the regulations are not helping. We preach technology as CIOs, but we spend most of our time on paperwork.”
It is important not to confuse complying with security regulations with actual safety, added Roota Almeida, head of information security for Delta Dental of New Jersey. “Compliance does not equal security. Compliance plus X, Y, Z may equal security, but you need to do a lot of things after you’re compliant.”
Get Data Sheet, Fortune’s technology newsletter.
The fact that more data is being generated and collected—from appliances and cars bristling with sensors as well as cell phones and fitness devices—in the emerging Internet of things is raising the stakes for data security.
When company employees working at home access corporate networks via the same Wi-Fi that connects their refrigerators, Xboxes, and Nest thermostats, they could be exposing corporate assets to a whole new range of threats, said Ryan Mallory, vice president of global solutions architects for Equinix eqix , the big data center provider.
Perhaps it’s best to isolate the threat. Instead of building one big castle surrounded by one big moat, maybe a thousand little separately moated castles would be better.
Since it’s hard to prevent compromised hardware, it’s best to limit what a malicious person can do if that piece of hardware is compromised, said conference attendee Paddy Srinivasan, general manager and vice president of Xively logm , an Internet of things technology company.
“We advise product manufacturers to limit the surface area of exposure to minimize the threat,” he said. “With a compromised device, it would be really bad if the hacker can listen to or communicate with other devices on the same network. If the only thing the hacker can do is spoof that particular device alone, then damage is a lot more limited.”
As to whether the cybersecurity situation in general has gone down hill over the past few years and whether the balance of power will shift in favor of the good guys going forward, there were a lot of opinions.
“Why does it look worse? The simple answer is because it is,” said Mark Morrison, chief information security officer for financial services firm State Street, stt . He cited the changing demographic of attackers. Hackers started out mostly as individual actors trying to get famous or make a point but then morphed into organized criminals trying to steal money. But more recent attacks have come from ideological nation states and that is a change for the worse, he said.
For more on cybersecurity watch:
“We’re not dealing with War Games and the guy in the basement any more, ” Morrison said.
Having said that, Morrison thinks things will improve going forward since IT professionals and the public at large are now more attuned to cybersecurity risks.
“This is an evolutionary process and it will get better. We’re growing at a faster rate than our adversaries.”
Delta Dental’s Almeida was not so optimistic.
“I can’t say whether it’ll be better or worse but it’ll be very different. With the Internet of everything, the threats and the attack surface will be 10, 100 times bigger than it is now. And the type of information available five years from now will be different, Things will be very different but not necessarily better.”
For one thing, she stated, hackers now realize how valuable protected health information is and are targeting it more. If a thief gets a credit card number the card can be cancelled, “But if I lose private information, X-rays, fingerprints, those things don’t change. It’s hard to get private again.”