Why PCI Is NOT Security (Part 1).
The Problem with PCI.
I’ve seen it or heard about it several times now – walking in the door of a company that’s so busy focusing all of its time and attention on PCI compliance that security falls to the wayside (don’t worry, I’ll explain the difference in a minute).
It’s easy to see how this happens – there are still business leaders out there that see security as a roadblock to maintaining agility, driving growth, and/or increasing profitability. It’s a cost-center, not a business enabler – it doesn’t generate revenue. But if you talk to these same business leaders about PCI compliance, the first thing they’ll say is “I might be hacked, but I WILL be fined”.
And that right there is the crux of the problem (well, part of it anyway).
Don’t get me wrong, PCI is the best of the compliance programs out there today, but like any other compliance-based program, it only addresses or works with a specific type of data or a related group of assets – it’s only protecting one small piece of the security pie. Think about it for a moment - if all you’re doing is protecting cardholder data; who’s protecting the rest of your enterprise? This is where the difference between ‘compliance’ and ‘security’ begins to manifest itself.
Information security – as a professional discipline, and as a business imperative, is still an immature and growing field that’s always struggling to keep up with the threats and challenges of the day. Still, real security takes a holistic approach to protecting information – it’s not about identifying one specific type of information and then concentrating all of our time and resources on protecting that one type. It’s about identifying every type of information we use within our respective organizations to determine what can be protected, what should be protected, and how it’s best protected.
Compliance frameworks on the other hand are nothing more than tools – they are not a replacement for true security. They help justify and foster a more security environment, but (by themselves) they do not create a secure environment. Compliance serves an extremely valuable role mainly in that it mandates *some* aspect of security within organizations that have done very little to protect information assets of their own accord. In other words, it forces people who don’t really understand or care about security to begin doing the absolute minimums within a specific context. It still doesn't enforce good security though.
(click here to read the full series)
