PCI DSS, Come Forward and Be Judged
CSO Senior Editor Bill Brenner explains how seven IT security guys with differing views on the value of the PCI Data Security Standard came together for the mother of all debates. Before you get to hear the debate next week, go to the bottom of this article and get your PCI DSS primer.
By Bill Brenner , Senior Editor
January 07, 2010 — CSO —
It wasn't supposed to be that big a deal. I was at an event in Boston put on by the 451 Group, and wasn't even sure I'd walk out of there with something to write about. Then Josh Corman, one of the firm's new analysts, got on stage and started picking apart the PCI Data Security Standard (PCI DSS) -- or, more specifically, the approach companies are taking in their compliance efforts.
Within five minutes of Corman finishing his talk, I had banged out this article and posted it:
Analyst: PCI Security a Devil, 'Like No Child Left Behind'
Summary: Joshua Corman, research director for enterprise security at The 451 Group, says the private sector's obsession with PCI DSS compliance is blinding it to larger threats.
The story began:
By obsessing about PCI security compliance and spending money on overly complex and underperforming defenses, companies are ignoring risk management and making themselves a target of state-sponsored cyber villains.That was one of the main messages delivered by Joshua Corman, research director for enterprise security at The 451 Group, during that firm's 4th Annual Client Performance Conference Wednesday morning. "Organizations have made PCI DSS and compliance in general the basis of their information security policies," he said. "They're basing security on sloppy logic from Visa and MasterCard and in the process are ignoring some very bad state-sponsored threats. As a community, we have not evolved at all." He compared PCI DSS to No Child Left Behind, the education reform law championed by former President George W. Bush. The law has been criticized by some who believe it has stifled innovation in education and focused too much on standardized testing.
Reaction was swift. Within a half hour, my Twitter stream was blazing with comments, most of them unhappy about what Corman had to say.
Two of my Twitter associates came forward and offered to team up for a rebuttal column -- Ben Rothke, a security consultant with BT Professional Services and author of Computer Security: 20 Things Every Employee Should Know, and Dr. Anton Chuvakin, a recognized security expert in the field of log management and PCI DSS compliance.
PCI DSS: No Angel, But Certainly Not the Devil
Security luminaries Anton Chuvakin and Ben Rothke explain why 451 Group analyst Josh Corman is off base when he compares PCI security to a devil and "No Child Left Behind."
Among other things, they wrote:
We'd like to remind PCI critics that as they whine about PCI as too little, too late, organizations that handle your sensitive data are conducting gross negligence in regards to security. Please get out of your perfectionist ivory tower and see the real world; a world full of security laggards -- not leaders that you are accustomed to! When Corman writes that "compliance with such laws and industry standards as Sarbanes-Oxley and PCI drives companies to spend far more on security than they might otherwise," he misses the point entirely. PCI pushes companies to do far more for security than their old negligent approach. Many companies start there and then eventually "graduate" to having a solid security program. Once they get there, any new standard or regulation will be easier to retrofit. Please don't confuse companies clueless about security with PCI DSS guidance. PCI was never meant to "cure stupid." Perhaps the most egregious comparison Corman makes is to lump PCI with SOX. The two have truly nothing in common. SOX wasn't the best course of action -- rather, it was an imprudent regulation created by a Congress that did not know what the problem was or how it happened. One is hard pressed to find anyone who would say that the cost of SOX compliance was equal to its benefit.