Self Regulation of Data and Privacy Isn't Working

I work for a major auditing firm. The customers we audit the majority of have quite good security. When we start to ask about the subcontractors, things get bad quickly.

Many companies protect the easy stuff, and then outsource a lot of the work to subcontractors. They then send them a self-assessment survey about their “security”. It’s all bullshit.

Case in point, we actually drove out to one of these subcontractors for a major data center provider. We got stuck in traffic, but figured what the hell and still pushed on, arriving at 6:00 pm. We walked in...literally. They had left for the night and forgotten to lock the door, computers, servers, drives, routers you name it everywhere. Their 3-year contract was voided later that evening.