Posted by: Jack Santos
The following two articles really rang true for me. One was about Equifax's Tony Spinelli the other a blog post by Nitesh Dhanjani . Although both were published in the last 18 months - it's still relevant today. The basic question is:
"Do you become secure to be compliant? or compliant to be secure?"
Sounds like a premise for a "Sex and the City" skit. Unfortunately, it's a question that (consciously or unconsciously) gets answered both ways in corporate America.
I can think of a situation where the CEO and CFO were adamant about not meeting PCI standards - even if it meant incurring the fine; they just didn't think it was worth the effort, and felt that security proposals and project efforts should stand on their own after evaluating risk/benefit. In their assessment, PCI recommendations didn't meet the criteria (until TJX changed their view of risk).
So in some ways this was an admirable position that followed the intent of Nitesh and Tony's argument - but to a different conclusion.
So let me ask the provocative question: Once PCI sets "the bar", no doubt it is a quick, slippery slope to a "be compliant to be secure" approach -- the PCI standards become a minimum that companies must meet.
And what is wrong about that, if we get the desired end? Is this a case of "the better being the enemy of the good"?