CHICAGO -- The best way to meet "squishy" security provisions in regulations like Sarbanes-Oxley is to match appropriate controls against anticipated threats and create a defensible case to support those decisions. Otherwise, enterprises risk devoting too few -- or directing too many -- resources to come into compliance, according to Paul Proctor, META Group's vice president of security and risk strategies.

"Regulations recognize you can't protect yourself from everything," Proctor told delegates at Thursday's Information Security Decisions conference. But, he acknowledged, their built-in flexibility also can work against an organization if controls aren't mapped to a proactive, process-oriented security program based on an ongoing risk assessment.

Corporate governance-oriented SOX, which holds public companies' top executives accountable for internal data controls, is especially vague on security. "Sarbanes-Oxley is the absolute worst," Proctor said. "They don't tell you what you need to do at all. Of course, they'll throw you in jail if you don't do it properly."