The best way to meet “squishy” security provisions in regulations like Sarbanes-Oxley is to match appropriate controls against anticipated threats and create a defensible case to support those decisions. Otherwise, enterprises risk devoting too few — or directing too many — resources to come into compliance, according to Paul Proctor, META Group’s vice president of security and risk strategies.