Should Compliance Drive Security?

[caption id="" align="alignleft" width="300" caption="Should Compliance Drive Security?"]Should Compliance Drive Security?[/caption]

Practically all of us accept credit cards, so we need to be PCI compliant. The question though is "If we comply, are we secure enough?". It's an easy assumption to make, and a lot of us take that route. We all have firewalls, antivirus and some of us run intrusion detection code, but these products mostly are making (educated) guesses about what is going on. These products are necessary, but they are not sufficient.

When I'm looking at the general threat landscape, I think that PCI compliance should not drive your security posture, it's to some degree the cart before the horse. Many of the recent companies that were the victim of a data breach were compliant. Your security practice will fail if compliance is driving, because as an organization you will fall in the trap of performing to the test instead of performing to the task. (Remember those "Paper MCSE's'? Many were not able to actually function as a Microsoft Certified System Engineer and failed miserably.)

So, what to do? Think like the attacker. Identify your key assets. Which of the data that we have is strategic IP, customer data and other sensitive / confidential information? The people that have access to this data have a target on their back, and will be exposed to sophisticated social engineering attacks. The attackers are going to go after your high-value systems and people. You need to identify these and prioritize their protection. One of the essential elements of Defense-in-Depth is the outer shell of Policies, Procedures and Awareness.

To make your organization a hard target that is resistant to Advanced Persistent Threats (APT) one of the pieces of the puzzle you need to have in place is security awareness training, and your employees need to be trained by an expert.

Subscribe To Our Blog

Ransomware Has Gone Nuclear Webinar

Get the latest about social engineering

Subscribe to CyberheistNews