“Compliance” setting your whole security strategy is wrong….

We’ve talked quite a bit about PCI DSS compliance here. Generally, we’ve looked at what is going wrong, what can go wrong and from there, what organisations should be considering to do it better. Looking at it from a slightly different perspective here but not wholly new either – we’ve touched on and skirted around this a few times.

While PCI DSS has been a good wake up call for many organisations, there’s a negative side also which doesn’t get much attention – lost in all the talk about the benefits that PCI DSS has provided organisations who’ve previously had weak to non-existent security practices – security strategy based solely on compliance.

It doesn’t work.

  – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –  
Advantages of Managed Security Services
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

It’s not a chicken and egg scenario and it does leave organisations in that so often discussed, "false sense of security" scenario.

Compliance needs to be wrapped up within an overall strategy and framework – not the other way around.

Compliance, regardless of who mandates it, has a scope. That scope doesn’t always encompass your whole organisation.

Auditors who have the QSA certification have demonstrated a certain level of competence in understanding the PCI DSS and the objectives of the card brands. That is all. Beyond that, organisations who engage QSAs, off the bat, have no idea of the greater Information Security and Risk Management knowledge of those individuals. Now here’s where the problem lies……

As I mentioned, many organisations, through PCI DSS, (as just one example – could be any regulatory set of standards), are being exposed to Information Security for the first time. This means, that what the Auditor will recommend, will become the organisation’s Information Security strategy/framework etc……compliance setting the strategy and everything that flows from that…..Scary!

Now lets ramp it up and get a bit controversial. Many QSAs are not senior Information Security experts, (based upon our experience) – or at least to a level required to develop a security strategy for an organisation. Hell, many CSOs struggle with it. We see it all the time. Get where I am coming from? (Aside: great post here at the /dev/null blog by Jarrod on the topic of consultants).

Sure, some of these organisations become compliant, and God only knows how they were certified as compliant, (from our experience coming in after some QSAs), but really, where are they at? Mileage varies as they say. They’ve made a few steps forward and then they stop! There is no subsequent next step in most of these cases for these organisations. They have their strategy in place – a strategy developed solely for compliance reasons and guided by an Auditor whose speciality may not extend beyond the scope of those regulatory standards they are auditing.

I welcome your comments.

Drazen Drazic

About Drazen Drazic

Drazen Drazic is the CEO of Securus Global. Securus Global is one of the leading Information Security consulting organizations in the Asia Pacific region - also servicing clients from around the globe. He is directly engaged as a strategic consultant by many organizations, across most industry sectors on matters to do with Information Security policy and strategy. In earlier times, he has headed up Information Security for a large global investment bank and Big 4 professional services firm, worked as a regional IT Director, and has spent many years promoting and talking about Information Security. He is also the chief writer on the IT Security Management site, Beast or Buddha.

, , , , , ,

No comments yet.

Leave a Reply