Banking Review

The compliance conundrum

It’s foolish for organisations to assume that being compliant means that their infrastructure is an unsinkable ship.

The Payment Card Industry Data Security Standard (PCI-DSS) has been hotly debated since its second incarnation in 2006. With the cost of implementing a compliant infrastructure outweighing proposed fines, many retailers quietly put PCI-DSS on to the bottom of their to-do list.

More recently, credit card companies have hardened up their approach, forcing retailers to ensure compliance. However, after a spate of companies, such as Heartland Systems in the US, experienced security breaches despite complying with regulations, there is a growing undercurrent of discontent around such mandates. Many businesses are asking, “If PCI-DSS doesn’t stop breaches, why have it at all?”
This raises questions about a far more serious issue, which is the fact that senior stakeholders in an organisation have begun to rely too much on compliance status as an indicator of good security practices.
Now that compliance is a major part of every business’ IT strategy, a significant misunderstanding has developed around the objectives of something like PCI-DSS. It’s foolish to assume that being compliant means your infrastructure is an unsinkable ship. What compliance does is set a benchmark for monitoring your security at a particular point in time.
As an analogy, setting your house alarm before you head out for a night on the town doesn’t mean someone can’t break in while you’re gone and escape with your television and that family heirloom. Security isn’t just about a periodic check that things are OK.
A Safe Starter
Where PCI-DSS, for example, has been successful is highlighting the problem of unsecured credit card information and providing companies with a framework to store that information more safely. By itself, it’s not enough – but it’s a great place to start.
However, PCI-DSS also drives a lot of security spending. With merchants being fined more regularly, organisations have begun to invest heavily in better security around credit card data. Meanwhile, board members see that investment and expect the money spent to benefit the business overall. They equate compliance success with good security, and that is a problem.
Too often, passing a PCI-DSS audit creates a false sense of security within the organisation, especially among senior stakeholders. What they need to understand is that security is an ongoing process. Technology and its threats evolve at such a rapid pace that a part of your network that’s secure today, could easily be at risk tomorrow.
Compliance initiatives are an important starting point for security teams to do their job to the best of their ability, but they can’t replace regular and thorough analysis of insider/outsider threats, and careful attention to closing holes in security processes. Both security and compliance are 24/7 initiatives, and senior stakeholders need to ensure that budgets and resources are available to make this happen.
PCI-DSS has been under fire quite a lot of late. In some camps, it has been insinuated that the number of high profile breaches since the arrival of PCI-DSS suggests the entire approach is flawed. This isn’t the case; we’re hearing more about security breaches because compliance initiatives have enforced disclosure requirements on companies.
Discussions should centre on the extent that breaches have been reduced, now that businesses are being forced to implement at least the most basic of security measures.
Which isn’t to say that PCI-DSS isn’t a little difficult to manage, or that it’s a sure-fire way to avoid internal threats and external attacks. As we’ve talked about above, securing sensitive data housed by your business is an ongoing commitment that requires attentive resources and the support of senior management.
Measuring security effectiveness can be tricky. Implementing solutions that thoroughly monitor networks is one way to stay informed about what’s happening on your infrastructure, while keeping skilled resources free to focus on more strategic security processes. Even so, the application of independent metrics is in its infancy, and rolling up compliance, security and risk into an easily digestible format for senior stakeholders has been a consistent challenge.
But it is a challenge that organisations cannot afford to ignore. If IT departments don’t begin educating the folks in charge about the need for constant refinement of security processes, the benefits of any compliance mandate as a baseline for good security practice will go to waste. And that’s not good news for anyone.

David Roberts has a strong background in the defence intelligence sector, and is a security solutions specialist at NetIQ. Previously, Roberts was the Defence account manager at leading ICT systems provider Commander, and solutions architect at Tenix Datagate.