Joshua Corman, research director for enterprise security at The 451 Group, renewed debate recently on the role that PCI plays in network security in an article featured in CSO Magazine. The article contains a number of Corman quotes from a recent 451 Group client conference. From the excerpts, it’s clear that the Corman is trying to sound the alarm, and it may be falling on deaf ears.
You don’t need to look far to find examples of “compliant” companies that were insecure, and are paying for that mistake with real dollars and public embarrassment. Are these companies the poster children for the failure of PCI and compliance initiatives, or a wakeup call to corporate management? Probably both. As with most things in life, the devil is in the details. Corman is right to warn us that there are very real, highly organized, threats and the focus on compliance has become a distraction for many organizations.
As a proponent of self-reliance and personal responsibility, I would certainly prefer that everyone just “do the right thing.” But when it comes to network security, the fact is that many organizations have no idea what ‘the right thing’ is or don’t have the budget for experienced personnel, or training to fill infrastructure holes. Compliance initiatives did expand budgets and created the potential for increased security, but in the process they set management and board-level focus on the wrong objective. It’s been said many times before, but it’s worth repeating: Compliant is Not Secure.
Last July, I had the opportunity to discuss this topic with Brian Prince of eWeek. The article’s a good read and is absolutely relevant to this discussion.
The 451 Group’s take on this issue is thought provoking. We can debate how we got here, but I think the question now is where do we go from here? How do we shift the focus from compliance to security?
As a vendor in this space, we continue to ask ourselves what guidance and solutions can we offer to the ten’s of thousands of midmarket businesses that are sitting squarely in the crosshairs of the next wave of attacks? It’s that very question that keeps me going day in and day out.
Leave a Reply