Alex is convinced that PCI compliance has little to do with information security, at least in terms of companies desire to achieve compliance. It's all about the semantics involved in getting past the legal mumbo jumbo involved in meeting each section of the DSS. His hypothesis is based partially on the questions that are asked in the Yahoo! Groups PCI Compliance group. I'm also a member of that group and I would agree that most of the questions are not "how do I become more secure" but "How do I comply with a particular section?" That is to be expected just because of the nature of the group. It is about PCI compliance and not security in general.
I still have to agree with Alex though. Based on the discussions that I've had with others about their PCI experience and also with vendors the quest isn't "more secure" but "just enough". It appears that companies aren't working towards protecting their networks, systems and data but keeping the auditors happy and getting a check mark in all of the check boxes.
This leads me to wonder then do the auditors need to expand their scope beyond the regulations? Of course not. That wouldn't work because they have to have limits on their power and scope. What we need to do is get management out of the compliance mindset and into the security mindset. This will take time and will require that we be able to quantify the benefit of security. Maybe it's building cases based on past breeches of other companies and showing what the associated costs were. The real cost not the cost that the analysts come up with.
What will actually work better (and in concert with) is to show the vulnerabilities that have been remediated by what has been currently done and those that will be remediated when other controls are put into place. Then show real world examples of how not being affected by these issues saved time, money and resources.
We have to build our case built on reality and not on FUD. A good example (going back a few years) is blaster. Lots and lots of companies were hit time and time again with blaster. Just when they thought it was cleaned up a forgotten system was turned on or a laptop user connected to the network and then it was running amuck again. Yet those companies that had been patching regularly were unaffected. A good plan for maintaining AV (especially in emergencies), patching, keeping up with all systems (permanent and mobile), having the right routing and firewall rules in place, etc... would have kept your company blaster free. Yet most companies did not employ these things.
So back to PCI. I'm not a big fan of security by compliance because human nature causes us to do just enough to get by but it does at least open our eyes to the need for more security. It also (hopefully) paves the way for us to realize that check boxes aren't enough and reach for real security. Build your case and sell it.
Security's Everyman
Sunday, January 13, 2008
PCI Compliance "Why Bother?"
Logging you in...Comments by IntenseDebate
Subscribe to:
Post Comments (Atom)
Barry · 885 weeks ago
I think you make some very good points, but unfortunately I think the line between practical vs. ideal security is difficult to define at times. In an ideal world, people would think before they act and think in a "security mindset", as Bruce Schneier calls it. However, in many cases, the company in question is more interested in what they need to do to get by, not what they can do to improve their long term security posture and health. In some ways, this makes sense - if I'm selling groceries, I want to spend as little as possible in anything that doesn't directly lead to selling more groceries.
However, you and I know full well that this isn't an effective way of thinking either. The costs of fallout from security incidents, inefficiency, and other items can be far more - besides, security is not necessarily always expensive. The key is finding that fine line, and most companies aren't interested in finding it or simply do not know where to begin. The REALLY frustrating part is that consulting companies seem to in turn prey off of this problem and insist on following "compliance" programs. This is not inherently greedy, but it reduces their risk as well as is a lazy way out of having to really think about an effective solution.
That brings me to my central frustration with many so-called "security" entities. They're compliance and/or privacy, not really true security. I could retire today if I had a nickel for every time I've seen someone not bother to understand an underlying issue and simply go with the "checklist" approach. Not only is it incredible sub-optimal, it makes for a very unsatisfying work experience.
Bottom line - fear of litigation risks and fundamental lack of understanding of technical concepts (and associated tradeoffs), combined with the overall view that IT is a "commodity" like bushels of hay, is leading companies down a path that loses them money, frustrates employees, and does little to nothing to reduce overall security posture.