Data Breaches Show PCI DSS Ineffective
By Danny Lieberman, Security Expert and Founder of Software Associates
A recent Ponemon survey (pci-dss-survey-key-findings-final4) found 71% of companies don’t consider PCI as strategic, though 79% had experienced a breach.
Are these companies assuming that a data security breach is cheaper than the security?
How should we understand the Ponemon survey. Is PCI DSS a failure in the eyes of US companies?
Let’s put aside the technical weaknesses, political connotations and commercial aspects of the PCI DSS certification franchise for a second.
Consider two central principles of security – cost of damage and goodness of fit of countermeasures
a) The cost of a data security breach versus the cost of the security countermeasures IS a bona-fide business question.If the cost of PCI certification is going to be 1M for your business and your current Value at Risk is only 100k – then PCI certification is not only not strategic, it is a bad business decision.
b) Common sense says that your security countermeasures should fit your business not a third-party checklist designed by a committee and obsolete by the time it was published.
The fact the Ponemon study shows that 71% of businesses surveyed don’t see PCI as strategic is an indication that 71% have this modicum of common sense.
The other 29% are either naive, ignorant or work for a security product vendor.
Common sense is a necessary but not sufficient condition If you want to satisfy the two principles you have to prove 2 hypotheses: Data loss is currently happening.
* What data types and volumes of data leave the network?
* Who is sending sensitive information out of the company?
* Where is the data going?
* What network protocols have the most events?
* What are the current violations of company AUP?
A cost effective solution exists that reduces risk to acceptable levels.
* What keeps you awake at night?
* Value of information assets on PCs, servers & mobile devices?
* What is the value at risk?
* Are security controls supporting the information behavior you want (sensitive assets stay inside, public assets flow freely, controlled assets flow quickly)
* How much do your current security controls cost?
* How do you compare with other companies in your industry?
* How would risk change if you added, modified or dropped security controls?
If PCI is a failure, it is not because it doesn’t prevent credit card theft; there is no such animal as a perfect set of countermeasures.
PCI is a failure because it does not force a business to use it’s common sense and ask these practical, common-sense business questions.
* * *
Stay Informed With ISR News Alerts:
* * *
Danny Lieberman is a serial technology innovator and leader – implementing ideas from brain to business. Danny has a graduate degree in solid state physics and has spent most of his adult life developing software. Since 2003 – Danny has been doing data security consulting and data protection/information assurance projects using data loss prevention /extrusion prevention technology.
Software Associates provides enterprise information protection to clients in Europe and the Middle East. His latest venture is MedRep, a professional network for medical representatives and doctors. Feel free to text Danny at any time of day at: +972 54 447 1114 - he is always looking for interesting projects and ideas.
The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com
Filed under: Breach, D&O Liability, Danny Lieberman, FEATURE ARTICLE, Financial, Government, ISR News, Insider Threat, Military, PCI, PCI Security Standards Council, Sarbanes-Oxley, Software Associates, Uncategorized, due diligence, hackers, identity-theft, malware, national security, privacy
Comments
2 Comments on Data Breaches Show PCI DSS Ineffective
-
Michael Bacon on
Fri, 11th Dec 2009 1:37 pm
-
Robert Morris on
Fri, 11th Dec 2009 1:42 pm
Many years ago, a major High Street chain in the UK had “shrinkage” that was significantly lower than the cost of anti-theft measures … so they didn’t put any in. However, their retrofit costs were substantial several years later when crime soared in their stores.
But at least they were able to make commercial decisions, unfettered by so-called standards and unencumbered by fears of class-action lawsuits after suffering loss caused by not following a “standard”.
PCI DSS is nowhere near “perfect”, but it is the standard accepted as the minimum by the Visa, Master Card (et al) and the rest of the payment card industry. It thereby forms a “best practice” that, if not adhered to, when a breach occurs, will likely result in law suits galore. Even if these fail, they attract a cost that must be factored in to the overall risk equation.
I say “best practice” because such is triable. Standards are, by definition, “best practice”. If someone subsequently wishes to go into court with a better practice and demonstrates the same, that will become, de facto, “best practice” and the Standard will thereby be devalued. I suspect there would be considerable pressure to prevent anyone taking that course.
Why must an organization consider PCI to be strategic in order to affect information security breaches? Compliance with PCI doesn’t mean immunity from a breach.
A better question to ask would be, “do you consider information security strategic for your company” as opposed to focusing on the subset of security addressed in PCI.
Just because PCI doesn’t confer a breach-proof environment is no reason to call it a failure. If that is the bar, risk-based approaches are also failures.
Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!
