Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat.- Sun Tzu With the new year upon us, I reflect on all the \u201cfun\u201d security professionals had in 2009.\u00a0 With all the incidents that have expanded our catalog of war stories, I think that the misapplication of compliance standards is one of the themes that caused our eyes to twitch.The Payment Card Industry Data Security Standard (PCI DSS), is \u201ca set of comprehensive requirements for enhancing payment account data security.\u201d\u00a0 In other words, PCI\u00a0provides a set of tactics to protect the confidentiality and integrity of data.\u00a0 Great place to start \u2013 but it\u2019s only part of the picture.\u00a0 Applying them appropriately requires situational awareness and knowledge of the company\u2019s core values and strategy.\u00a0 Sun Tzu\u2019s approach at assessing an army\u2019s readiness for battle can be applied to the attaining this knowledge in a business environment.The ground gives rise to measurements, measurements give rise to assessments, assessments give rise to calculations, calculations give rise to comparisons, comparisons give rise to victories.- Sun Tzu Measure the Scope \u201cThe number one PCI piece that companies don\u2019t do well is around scoping,\u201d said Verisign\u2019s Branden Williams.\u00a0Given the limited resources available for any IT project, scoping is required in order to manage a project effectively and deliver on time and within budget. Data flow diagrams \u00a0and business case\/process mapping is one way to determine scope.\u00a0Williams cautions that many companies \u201cassume they can apply PCI to their entire environment.\u00a0 This is a foolish assumption, especially in the case of legacy applications.\u201d\u00a0 Once the scope of the implementation is determined through measurement, the assessment of business risk can be performed. Assess the Risk \u201cRegulations are not designed to handle the kinds of threats, the kinds of vulnerabilities, and the kinds of problems that organizations are facing today,\u201d said Edward Schwartz, CSO of NetWitness.\u00a0 He recommends that risk be assessed in the context of the processes that utilize the data being protected.\u00a0\u00a0Sun Tzu suggests a five-point risk assessment approach. 1) The Way -\u00a0refers to\u00a0the culture of an organization.\u00a0 A risk assessment must\u00a0examine the impact of values and behavior on the overall security posture.\u00a0 This information will be extremely useful when selecting\u00a0effective controls. 2) The Weather \u2013 refers to seasonal changes in organizational priorities.\u00a0\u00a0\u00a0 A risk assessment must take patterns of organizational behavior into account.\u00a0 This steps in the process is facilitated by alliances with business stakeholders. 3) The Terrain \u2013 refers to the competitive landscape both within and without the organization.\u00a0 Most security professionals are used to examine through external terrain; focusing on the external threats.\u00a0 The internal landscape, however, presents greater issues, obstacles, and opportunities of which we must be aware.\u00a0 Of particular concern are the behaviors that are incentivized by management priorities \u2013 they may focused on business expendiency at the expense of security. 4) The Leadership \u2013 refers to those who promote the corporate goals and enable those goals through tactical and operational initiatives.\u00a0 We must assess what role those leaders will play in the PCI implementation and how they impact the overall risk posture.\u00a0 By understanding our end-client \u2013 the business -\u00a0you can architect a control strategy, and supporting tactics, that address risk while supporting management priorities. 5) The Discipline \u2013 refers to the enforcement of security policies and procedures.\u00a0 A risk assessment must consider the human factors that enable threats.\u00a0 Calculate the Impact of Controls After assessing the risks, we must review the benefits and constraints of control options in order to select the appropriate.\u00a0 According to Sun Tzu, \u201cthose who are not thoroughly aware of the disadvantages in the use of arms cannot be thoroughly aware of the advantages.\u201d\u00a0 We must apply our knowledge of the corporate organism in order to select controls that will allow it to thrive. \u00a0If Generals do not know how to adapt advantageously, even if they know the lay of the land they cannot take advantage of it.Standards like PCI serve an important role\u00a0in creating a baseline for data protection and a common language for the discussion of the related issues.\u00a0 However, they are not designed to contribute to market responsiveness\/agility.\u00a0 The enlightened business creates synergies between the tactics communicated in these standards\/regulations and their core competencies\/strategies.