Tuesday, September 9, 2008

"So What's Everyone Else Doing???"

As a security auditor, I can't tell you how many times I've been asked this when talking about compliance. If I only had a nickle for every time someone asked me that question... well... I'd probably want to throw it at the person who just asked me it. This is such a bad question on so many levels and it still frustrates me each time. That being said, I suppose I should answer it here so that maybe, just maybe, they won't ask next time.

My first response is, 'everyone else' is not doing a good job, not enough, and likely the wrong things. For example, take PCI compliance. Even after all this time, only 77% of Level 1 Merchants are compliant. Now if everyone is being as tough as they should be, those merchants are getting fined $25,000 per month and a possibly higher transaction rate. Compliance basically exists because when 'everyone else' was doing what 'everyone else' did, 'everyone' sucked! So somebody had to step in and raise the bar for them. It's like the flock needing a shepherd.

Now imagine that all of sudden you get breached because your 'average' organization is doing things just like 'everyone else,' which isn't enough... do you really want to stand at the podium and state that you didn't do enough because others aren't? Is that really a good, defensible position? On average, the average isn't good. So do you really want to measure yourself against them?

I think it's also ironic when you realize that just prior to this question is the statement made by the same person that "Well, we're unique here at Company X". Of course you are! If not, I can't imagine you'd have differentiators and be unique. There is no reason why that can't be security. It is probably a pretty good reason to not be like 'everyone else'. I'm hoping the next time someone asks me this, they want to know so they can use it for out marketing 'everyone else'.


Dalt said...

It always comes down to money. No-one wants to overspend because compliance is a cost more than a new feature/product. And even if one is "out of compliance," a smart business person might take the $10k fine rather than spend $750k to avoid it. Until I see a slew of firms going out of business specifically because of non-compliance, it's all just a matter of money. =)

Jason Leuenberger said...

We hear this a lot...

It does cost money to become compliant. Good point. Unless the company has already gone and followed the frameworks laid out by SOX, PCI, etc.

The framework laid out by PCI, for example, isn't demanding anything excessive. PCI DSS states, on the website, that it's been defined because organizations are just not protecting data like they should.

And that's bad.

So that smart business person can continue to pay $10k fines, but they're probably ignoring security fundamentals.