Compliance is Only a Spark
Compliance requirements may be introduced when there is a threat to life, property, or our financial systems. They are designed to be the initial spark that will drive an industry to improve how they operate for the betterment of the entire ecosystem. Present-day examples include laws or standards such as SOX, FISMA, and PCI DSS—all of which affect a majority of firms here in the United States. Managers of affected firms must demonstrate compliance to these rules or face fines, penalties, or worse. Compliance does not guarantee that you will be safe from hackers or new regulations, but it does create a baseline of controls from which you can build.
Properly fueled, a spark will set ablaze a fire that will burn as long as fuel is available. In the case of compliance, fuel comes in the form of continued diligence in the respective field.
example, meeting EPA requirements to hit the mark is great, but exceeding them where it benefits both the firm and the environment is better. Meeting compliance requirements for information security initiatives is ok, but exceeding them will do more to keep your firm and your customers safe today and tomorrow.
Information Security and Fraud
Credit card fraud is not new, but the miniaturization and proliferation of information technology in support of credit card processing vastly increased the attack surface for hackers to steal and monetize this data. Many retail and financial firms were caught off guard as new kinds of attacks threatened their ability to manage fraud. On December 15, 2004, five major payment card brands came together to release one standard for payment security and dubbed it the Payment Card Industry Data Security Standard, or PCI DSS. For many retailers, and some financial institutions, PCI DSS sparked a major overhaul to their security programs. I recall a number of instances in 2005-2007 where IT and InfoSec professionals used PCI DSS as their justification to get much needed upgrades to process and infrastructure.
Other initiatives such as FISMA challenge managers to implement a higher level of information security controls. The difficulty of implementing these standards depends on how your firm uses sensitive information or deploys certain kinds of technology.
For those who choose to comply, is that really enough to prevent breaches? Based on the kinds of attacks outlined in various industry and government publications, I do not believe it is. PCI DSS, like other compliance initiatives, is just a way to create a baseline of security for the ecosystem and try to bring the majority of companies up to that baseline. By doing this, basic attacks like the ones casual script kiddies employ do not work. These are not one time goals, such as taking the test to get your driver’s license, but instead they require constant upkeep as both the internal and external environments rapidly change. Compliance may be the cause of complacency in every level of the company—it’s our duty as the maintainers of technology to know how to do it safely and securely.
Sports Metaphor Time
I sometimes ask companies who handle sensitive data such as credit cards why they do so when they are clearly not qualified nor are their security and technology groups funded appropriately. There are plenty of vendors who provide solutions that solve business and security problems around sensitive data. For retail, handling cardholder data is like an outfielder trying to catch a pop-up with the sun directly in their eyes. It’s possible, but only becomes a certainty for only the best players in the game.
CIOs in the ’80s were convinced by MBAs to invest in lots of technology around credit card processing. It certainly made sense in those instances, but the assumptions from 1985 do not work thirty years later in 2015. The amount of diligence required to maintain high levels of security around sensitive data is daunting. Most CIOs should take the time to challenge old assumptions. What if you could remove PCI DSS requirements completely? How much would that save you?
What Can You Do?
Compliance is a necessity, but don’t make it your high water mark. Even the PCI Security Standards Council is on record saying that PCI DSS isn’t enough to protect you from a breach. That isn’t too dissimilar from baseline EPA requirements to protect the environment, basic OSHA requirements to protect worker safety, or basic financial controls to prevent misreporting. Let’s not forget that the sub-prime lending crisis started on its bath before SOX, and boiled over several years after it was enacted. Take a realistic look at the kinds of data your business uses that make you an attractive target. Then find ways to remove it so the attacker moves on as well.