I attended the 2010 RSA Conference in San Francisco last week. As expected, one of the major themes resonating throughout the conference keynotes, sessions, and exhibit hall was the opportunity we have as security professionals to help secure increasingly virtualized and cloud-based infrastructures. More on that in my next blog.
During the show, I attended a session, “PCI 2.0? What’s Next for the PCI Security Standards and Council?”, presented by Bob Russo, General Manager, PCI Security Standards Council. Bob did a great job in explaining the basic organization of the Council and updated attendees on the status of three updated standards that will be released this year: PCI Data Security Standard (PCI DSS), PIN Transaction Security (PTS), and Payment Application Data Security Standard (PA-DSS.)
What really stood out for me, however, was Bob’s view on compliance as a foundation for security. Over and over again, Bob reiterated that what organizations should really strive for is security - with compliance being a “by-product” of security. In his view, the PCI standard is about security, not compliance. For example, Bob cited last year’s Verizon Breach report, discussing at length how it may take corporations anywhere from two weeks to months to discover a breach, and how, typically, the evidence of the breach was in the logs for the duration of the event – had anyone bothered to check. In this example, having the log management solution in place to satisfy PCI requirements, but not actually reviewing the logs, exemplifies a dangerous “checkbox” approach to the standard.
Bob went on to assert that while the cost of compliance to the standard may be significant, it may be up to 20 times more costly to deal with the after affects of a breach when you take into consideration levied fines, consumer and shareholder lawsuits, loss of customer trust, and other revenue-impacting factors. Per Bob, “If you lose your customer confidence, there goes your business.”
While the PCI standard is an extremely useful means by which to achieve good security, corporations must avoid the trap of thinking they’ve “done enough” by simply meeting the requirements of compliance. Corporations must use the security and forensics data delivered by compliant IT infrastructures to make effective and intelligent security decisions, and defend against potentially devastating breaches. Good security - tightly woven into the culture of an organization - is essential to the health and welfare of the business.
Mar 12 2010, 10:40 AM
Filed under: Security, Data Breach, PCI DSS, PCI Standards Council, Compliance, RSA, PCI, RSA Conference, Verizon Breach Report, RSA 2010, PTS, PCI Standard, PA-DSS, Bob Russo, Renee Bradshaw, Security Web