• United States



Does compliance really matter?

Jun 19, 20072 mins
Data and Information Security

A few weeks ago I posted a blog about my new super power, being able to see non-compliance. One of the comments after that post hinted that auditing and the need for compliance was nothing more than a money making scam, and the DSS (and other standards) do nothing to really secure companies, but rather to artificially create a market to allow some, like myself, to “make money off the scheme.”

This got me to thinking: Does compliance matter? Would companies be better off with custom tailored one-off security counsel from a security company? Do the DSS and other security standards actually make the world a safer place?

The answer to all three of these questions is yes.

Compliance does matter and the DSS is making a difference. If a company sees the very real risk of being insecure they will stand to become significantly more secure if they can afford to take the time and effort of a security assessment, and even better a partnership with a professional security company, than simply adhering to a standard.

Unfortunately, many companies have not “seen the light” and continue their business as insecurely as they did before cyber crime was hitting newspapers across the country nearly daily. These businesses may not see the return on investment that security can bring, or they may not know what to do. These businesses need a guide, and when they cannot partner with a professional security company to help answer all their questions about security they can use a standard, like the PCIDSS, SOX, and HIPAA to help guide them to a state of relative security.

These standards are far from perfect, but they are much better than nothing. These standards can help open the door for more security aware decisions to be made in future revisions and choices.

–Joe Basirico

Joe Basirico - Security Analyst Joe studies security and develops tools that assist in the discovery of security vulnerabilities and general application problems. His primary responsibility at Security Innovation is to deliver security courses to software teams in need of application security expertise. He has trained developers and testers from numerous world-class organizations, including Microsoft, HP, EMC, Symantec and Joe is also responsible for participating in customer security process assessments as well as security engineering activities such as security design reviews, security code reviews, and security testing and security deployment reviews. Joe holds a B.S in Computer Science from Montana State University. John Carmichael - Security Researcher John leverages his strong lab development, programming and security process skills to deliver factual and useful training courses to testers and developers. John is a skilled software and Web developer with deep expertise in several different languages and environments. He has made many contributions to the open source software community by developing an open source structured drawing tool implemented in Python, testing several release candidates of the Sarge installer for the Debian Linux distribution, and writing a soon to be released Windows OS crash analyzer product. John has a B.S. in Computer Science and Business Administration from the University of Vermont and is currently working toward an M.S. in Computer Information System Security from Boston University.