« Trust, NAC, and the Art of Ceasing Operations | Main | What Does It Mean to be a "Virtualization Security" Solution? »

March 28, 2008



We all recognize that 'Compliance' is not the same as 'Secure'.

PCI helps guide organizations towards 'better practices' but achieving PCI compliance certainly does not eliminate risk or solve the problem of data loss.

So, this begs the question: Why mandate it? Sounds similar to eating Broccoli? While many agree that this is good for the body, nobody mandates it. Put it another way, I want the the companies I do business with to be secure not compliant.

Seems that PCI (substitute your choice of mandated regulation) does not necessarily achieve the goals.

Recommended solution: Put teeth in the regulation that a commercial entity can 'understand' and the necessary goal is more likely to be achieved. Now the equation becomes 'Do I risk paying $1000 per ID on penalties or do I invest $500 to secure the infrastructure and associated processes'? While this is certainly not a guarantee to eliminate data loss, it will ensure a best effort - which is what most folks expect.

Randall Gamby

Hi Subbarayudu,

Thanks for commenting! I agree, regulations only go so far, but they ARE valuable. They raise awareness of consistent oversight (even if it doesn't go far enough), they require organizations to do a review of their current practices and begin to make changes towards better securing their data (it's hard to say how bad Hannaford's security postion was 'before' they became PCI compliance but I doubt they were better off than after being compliant), and they help security personnel obtain the funding and personnel that may have been hard to obtain from management if there wasn't outside pressure.

However with that said, as I stated in my blog, "...enterprises have to look beyond the task of being compliance and take whatever additional steps may be needed to secure their data against breaches..." There are bad guys out there and breaches occur much too often. And from the initial findings of the Hannaford breach that this may have occurred from the inside (along with other large breaches of information like the recent Societe Generale Scandal), enterprises have to understand they have to balance protection mechanisms against both external AND internal breaches from occurring. I saw a number somewhere that something like 70% of all breaches that actually COST an enterprise real dollars happens from the inside and I've been warning companies for years that those internal support personnel that manage their financial and access systems should be paid well, and be very happy. I'm an advocate of "vetting", and vetting well, personnel, and their managers, that maintain the internal "keys" to the "virtual vault". So there's a lot more to security management than regulatory compliance but we can't just throw them away. But in the same time, as you alluded, it's hard to put specific "teeth" in them and allow every enterprise to support them in a cost effective manner. The warning in all this is to have a well vetted risk management plan, with contingencies in case a breach occurs (the big red “stop” button), know what to do in case a breach occurs, and to periodically review these plans to verify they continue to adjust to known risks. Regulatory compliance must be maintained, but it should be just one piece of any risk management plan, but still an important one.

The comments to this entry are closed.

  • Burton Group Free Resources Stay Connected Stay Connected Stay Connected Stay Connected

Blog powered by Typepad