Or a less sexy title: does compliance with mandates such as Payment Card Industry Data Security Standard (PCI DSS) help reduce risks for organizations (the carrot) even though it’s costly and the consequences of non-compliance even costlier (the stick)?
The best politically-correct answer is: it depends on who you are and what your approach to compliance is.
Verizon’s 2011 Data Breach Investigations Report points out that PCI DSS compliance is having some positive risk reduction results for organizations, as long as compliance is treated as a continuous process, not a one-time validation exercise.
It is important to clarify this point, since “Compliance is a continuous process of adhering to the regulatory standard,” and “validation . . . is a point-in-time event . . . that attempts to measure and describe the level of adherence to the standard.”
In other words, validation ≠ compliance; compliance ≠ security; thus validation ≠ security. But even validation, as minimalistic to security as it may seem, does show some positive results.
What this graph in the DBIR shows us is that most organizations (89%) that have been breached, were not compliant with PCI DSS at the time of the breach. They might have passed an audit, but were not compliant with the standard when the breach happened.
To fully understand these findings, I strongly encourage you to read the entire report.
So which organizations benefit most from being compliant with the PCI DSS? In a recent conversation with Mike Dahn, he shared the idea that compliance validation only helps organizations that have high security and low maturity (defined as not having documented policies or procedures) — those in group 1 in this chart– and those organizations that have low security and high maturity, those in group 2 of this graph.
Group 3 is a lost cause — they will never care about compliance or security. Group 4 is the creme de la creme. These organizations go a step beyond and manage risk (not only security) and see compliance as a nuisance to implementing best practices.
A full review of Mike Dahn’s thoughts on this topics can be found on his recent blogpost.
So what does constitute “best in class” in security and risk management? If you haven’t read Josh Corman‘s thoughts on this topic, you should. Most of his antipathy towards compliance is because he believes compliance punishes the visionary and elite practitioner who cares deeply about managing risk. He recently published what I call “Corman’s hierarchy of security needs”.
His proposition is that the “compliance is good enough” approach has proven to be insufficient and very risky. And in his pyramid he describes a way organization can do better security.
First, you need to build a defensible infrastructure. As in the story of the three little pigs, do you want to build a house made of hay or a brick house?
Secondly, you have to instill some operational discipline. He refers to the work of Gene Kim on studying high-performing organizations.
The next step is to build some situational awareness: the ability to detect threats/risks sooner, understand the impact on the business, and be able to react faster.
Lastly and only then, utilize some countermeasures. I’m not giving this enough justice and I’m not as entertaining in a blogpost as Mr. Corman is in person, so see for yourself in this recorded version of his PechaKucha talk during RSA.
I hope this blogpost provides you with some guidance and resources wherever you are in your compliance, security and risk management journey.