If compliance is from Mars, then IT security is from Venus. Take Sarbanes-Oxley compliance as an example. The law makes clear that a corporation’s financial information shall be secure, but it says nothing about exactly how a company is supposed to achieve security in the IT realm.

At the other, far more verbose end of the spectrum, companies have an abundance of IT standards that aim to translate Sarbanes-Oxley’s broad legal, accounting, and information-management requirements into pragmatic directives that IT professionals can use.

In fact, IT-security experts say there are too many standards and that none do the job well—among ...