Why PCI Is NOT Security (Part 4).
The Final Analysis.
Again, I’m not saying that PCI is a bad thing – it’s a tool, and it adds value. It’s the approach that organizations take that determines if it’s a bad thing, or what that overall value is though. The right approach can certainly enhance security – but the wrong approach can just as certainly damage security – within organizations, across the industry, and as a profession.
How we fix this problem is by reorienting ourselves from a compliance-based mindset to a security-based one. Advocating, with every breath, the true business value that security has to offer; making sure that we take every opportunity to help reorient others – even if it’s hard or unpopular at times. Communication is the key – getting buy in at every level. That’s always been the answer – for security or compliance.
That’s where security awareness and training come into play, but that’s an entirely different topic. One that I’ve already been writing about rather extensively ;-)
‘till next time…
