The ongoing history of credit card breaches at major card processing organizations continuously begs a simple question; do organizations treat compliance as their security high-water mark?
The analogy may not be perfect, but if you have a smoke detector in your basement but the fire starts in the kitchen and you’re asleep on the second floor, what are your chances of survival? Do organizations truly believe that being ‘compliant’ is synonymous with covering all security bases? Certainly, no organization wants to be breached, but are they doing enough?
It does seem that when there is a major breach there is often someone who points-out that the organization was, in-fact, compliant with certain standards. There are also others who opine that absolute security isn’t practical, and that covering every possibility in compliance standards is impossible – so exceptions have to be made. I believe that both of those points are correct. We know that the ultimate security is a system that isn’t plugged-in. Of course, that’s not exactly business-friendly, and so achieving a balance is the great challenge.
Many of the compliance requirements are designed to help organizations achieve the right balance. They are formalized and audited best practices. What many organizations do is treat compliance as the ultimate goal that is to be achieved at the smallest possible cost. It’s not about balancing robust security against operational effectiveness and the cost of security. It’s perceived as throwing money down the drain to be rid of some pain, and that pain is compliance, not threats.
Let us look at it using an example. Most of the Westernized world EXCEPT America uses chip-and-PIN credit cards, though there is some talk of finally rolling them out. I’ve had the amusement of helping a European through the signature process at a US airport. The server swiped his card at the cash, and brought him the print-out to sign. He looked at the pen and paper, wondering what was going-on. “You just have to sign it, and you’re done, no PIN, no authentication of any sort”, I let him know after a few moments. The look on his face was priceless.
Nobody with common sense will declare that chip-and-PIN cards will eliminate fraud, but they do add another layer of protection. Why the US waited so long also has the same common-sense answer; the benefit didn’t outweigh the cost. According to some sources, the US accounts for one-quarter of credit card transactions, and half the fraud. However, consumers weren’t paying for it directly, and so there was no demand. Why pay for security that customers don’t care about (even if they are, ultimately, paying for it)?
That same balancing act happens within datacenters. Surely there are people paid to estimate the risk of a breach, and the potential cost. That is then weighed against the cost of additional security that would decrease the risk. A mom-and-pop shop that unwittingly hosts a breached point-of-sale device for months could lose their business if customers lose all trust and go to the other mom-and-pop across the street.
However, organizations that make billions in revenue every year likely don’t feel the same level of risk. Well until now. The difficulty is that the mom-and-pop shop isn’t able to do something like enforce the use of chip-and-PIN; that’s up to a multi-billion dollar organization.
Simply put, even at large organizations where there can be hundreds of millions, or even billions, on the line, talking about security risks is difficult. It is simply human nature to downplay future costs against money-in-hand today. Just ask a life insurance salesperson.
While compliance standards like Payment Card Industry Security Standards Council (commonly referred to as simply “PCI”) are a good thing, they have their own balance to achieve. Highly complex standards like health-care (HIPAA) are open to widely varying interpretation. PCI is quite straightforward, but as simple as it is, it also is open to some interpretation.
The problem that remains, and will always remain, is that most of that interpretation is done to err on the side of minimizing the cost and effort of achieving compliance, not maximizing the effectiveness of the principles and practices of the standard.