May 29 2007

PCI (and compliance) are just tools

Published by at 9:46 pm under Uncategorized

Michael Dahn started an interesting conversation with his post, “Putting an end to compliance via continuous security“.  He wonders why he and other auditors come back to companies and find the same problems year after year.  Why can’t a company stay compliant over the course of a year?  The reason, or at least a reason is because the technologies might be changing, but the mentality that created the problem in the first case is still there. 

I don’t claim this as an original idea, it’s something I picked up from my teacher when I trained for my GSNA.  She stated that until you can change the way people are thinking about security, similar problems are going to continue to evolve again and again.  Policy might change the perception of security measures, education works better and sometimes people have to be replaced.  But until you can instill a proper security mindset in your users, problems will continue.

I always thought of PCI and compliance in general as a lever to promote change in the corporation.  People don’t like change and management really doesn’t like security managers who ask for large increases in their budgets.  But when you can use the compliance issue as a justification, you’ve taken that item from a ‘nice to have’ to a ‘must have’.  There are other ways to justify you’re work and your technology, but an itemized list of requirements helps a lot.

I also view becoming complaint as a secondary goal to becoming secure.  If you keep your priorities in that order, it should make doing both much easier in the long run.  I can’t say I’ve been completely successful at this in the past, but I found it made my life much easier when I do.  Focusing on a security solution that also happens go be a compliance solution is much more important than finding a compliance solution that’s secure. 

There are a lot of good comments on this thread.  I like the idea of a continuous approach to security, but it will be a change to the way people think.  If PCI or some other compliance framework is the tool you need to effect that change, use it.  But don’t lose sight of the real goal, which is the security of your company, not the compliance itself.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

One Response to “PCI (and compliance) are just tools”

  1. Michael Dahnon 29 May 2007 at 11:40 pm

    Martin, thanks for covering this. This is an issue that keeps coming up, over and over. Companies struggle to get “compliant”, to pass a milestone or meet a timeline, and loose track of the big picture.

    Recently on the blog commenters have been talking about an ISMS (Information Security Management System), and I agree with you and them that ‘security’ should be the focus of compliance. In fact, if companies secured the cardholder data in the first place, there would be no need for the compliance program.

    But, I’d argue even that many times people loose sight of the big picture even when implementing an ISMS or any program for that matter. You can perform risk assessments until you are blue in the face, but good security starts with rational in mind. Rational from the end user all the way up to the person running the program.

    I agree that security programs are good, but never loose focus on the primary objective – protect the data and the systems holistically.

%d bloggers like this: