BOSTON -- By obsessing about PCI security compliance and spending money on overly complex and underperforming defenses, companies are ignoring risk management and making themselves a target of state-sponsored cyber villains.
That was one of the main messages delivered by Joshua Corman, research director for enterprise security at The 451 Group, during that firm's 4th Annual Client Performance Conference Wednesday morning.
"Organizations have made PCI DSS and compliance in general the basis of their information security policies," he said. "They're basing security on sloppy logic from Visa and MasterCard and in the process are ignoring some very bad state-sponsored threats. As a community, we have not evolved at all."
He compared PCI DSS to No Child Left Behind, the education reform law championed by former President George W. Bush. The law has been criticized by some who believe it has stifled innovation in education and focused too much on standardized testing.
MORE ON THE PCI SECURITY DEBATE:
- PCI, QSAs, Hackers, and Slackers: Will the Real Enemy Please Stand Up?
- Unmasking DLP: The Data Security Survival Guide
- End-to-End Encryption: The PCI Security Holy Grail
It's a warning Corman has made before. In a recent interview with CSOonline, shortly before he left his previous job at IBM ISS, he outlined what he called 8 Dirty Secrets of the IT Security Industry, with compliance endangering security charting as the sixth dirty secret.
Compliance with such laws and industry standards as Sarbanes-Oxley and PCI DSS drives companies to spend far more on security than they might otherwise, he said. Security vendors have obviously seized upon this fact, offering products that do everything from offer PCI compliance out of the box to ultimate cure-alls for healthcare entities coping with the demands of HIPAA. Of course, this too leads to companies buying security tools that fail to properly address the particular risks they face.
"There are really bad people out there doing bad things and few pay attention to things like state-sponsored attacks and cyber warfare. This is because everyone's focusing on compliance," Corman repeated Wednesday.
He also warned that companies are driving over a cliff with obsessions over legacy security programs that are no longer effective and implementing the hottest new technology like cloud computing services.
To the first point, he said, "Security professionals are the pack rats of IT. We hang on to the wooden shields -- firewalls and AV -- which don't really work against new threats."
To the latter point, he stressed that the answer isn't to say no to newer technological innovations like virtualization. "Don't try to stop it. But try to steer it [in a secure direction]," he said, adding that risk and even failure are necessary steps along the path to more ironclad security.
"You have to burn your hand to know the stove is hot," he said.