People often ask how to simplify compliance in information security and governance. They want to know if it can all be boiled together. I remember one CIO who said “just give me one list!”

I had put together a couple slides on why this is an 80/20 question, never a perfect fit, but I like how the Dead Prez rhyme a similar answer:

“Crack is like a Democrat; Cocaine Republican; Marijuana Independent Party. Same government…”

I guess I’m intentionally being opaque on this to protect my own rhymes, besides the fact that theirs are probably better anyway. Imagine a board room where a security consultant performs a poetic recital of risks. Yeah, that’s what I’m talking about. It will be subtle, trust me.

Similarities and differences. Analysis is not synthesis.