May 29 2007
Michael Dahn started an interesting conversation with his post, “Putting an end to compliance via continuous security“. He wonders why he and other auditors come back to companies and find the same problems year after year. Why can’t a company stay compliant over the course of a year? The reason, or at least a reason is because the technologies might be changing, but the mentality that created the problem in the first case is still there.
I don’t claim this as an original idea, it’s something I picked up from my teacher when I trained for my GSNA. She stated that until you can change the way people are thinking about security, similar problems are going to continue to evolve again and again. Policy might change the perception of security measures, education works better and sometimes people have to be replaced. But until you can instill a proper security mindset in your users, problems will continue.
I always thought of PCI and compliance in general as a lever to promote change in the corporation. People don’t like change and management really doesn’t like security managers who ask for large increases in their budgets. But when you can use the compliance issue as a justification, you’ve taken that item from a ‘nice to have’ to a ‘must have’. There are other ways to justify you’re work and your technology, but an itemized list of requirements helps a lot.
I also view becoming complaint as a secondary goal to becoming secure. If you keep your priorities in that order, it should make doing both much easier in the long run. I can’t say I’ve been completely successful at this in the past, but I found it made my life much easier when I do. Focusing on a security solution that also happens go be a compliance solution is much more important than finding a compliance solution that’s secure.
There are a lot of good comments on this thread. I like the idea of a continuous approach to security, but it will be a change to the way people think. If PCI or some other compliance framework is the tool you need to effect that change, use it. But don’t lose sight of the real goal, which is the security of your company, not the compliance itself.