I've been to a few talks lately and it seems to be a growing theme. People think that being compliant doesn't make you secure, and that to be “secure” you need to exceed what you are doing at a compliance level.
I have to say I disagree, and I wish people wouldn't keep quoting such nonsense!
Compliance is a measure of security assurance at any given time and I'd have to say, with such a thorough standard like PCI DSS then it's really difficult, unless you start talking APTs, to get around the standard and end up with insecure systems, unless of course you're not doing it properly or are acting on inaccurate advice in the first place.
I think what people mean to say, is “getting your compliance program wrong without knowing it, doesn't make you secure”. I can be very happy with that statement instead. 🙂
That leads us to an interesting dilemma. Experts on PCI DSS whom actually know what they're doing are far and few between. The guidance from the PCI Security Standards website is good, but only if you understand it and don't try to take short-cuts.
It's such a pity that when the standard started out with all good intent, the compliance moniker has been trashed by people from all sorts of companies – consultancies, merchants, banks, vendors and even card schemes and QSAs themselves.
So what can be done about it? How do we get Compliance back on the pedestal and start giving it the respect it deserves?
We really must stop spreading the wrong message, as that in itself can cause vulnerabilities to open up when companies start skipping through compliance projects
We must not rewrite the rulebook. Countless GRC Applications are on the market now that try to do PCI DSS their own way. The value of credit card information is still not perceived at a board level “it's not my data, I don't care” and other business critical operations overtake it on the risk register, such as disaster recovery, resilience and of course new software features that help get more customers.
Compliance IS a very valuable security component in itself, and in my six years experience of PCI DSS Audits, I've never found a single entity to be Compliant from day one and there have ALWAYS been holes in controls that leave these entities vulnerable to certain types of attack.
So yes, being compliant DOES make you secure. Implicitly.