Among the myriad lessons from the Target breach, perhaps the most important is that “Compliance” does NOT equal Security. As Brandan Blevens of TechTarget recently reported, the Target breach lawsuit is pinning partial blame on the security vendor Trustwave. Target was certified as compliant according to all applicable regulations, and were discovered after the fact to have failed to meet many of the requirements. So how did this happen?
Many of the failures of data security today can be directly attributed to the negligence or ignorance of best practices for protecting data. The answer lies in independently verified solutions that protect the data itself. Decoupling the assessment from the solution is vital to an unbiased audit. I think that cyber insurance should play a bigger role in this scenario. The insurance premium level should be related to the types of security controls that the merchant implements. The insurance premium could reflect the quality of the security solution and that of the auditing performed. In addition, if breaches cannot be wholly prevented or detected in real time, then the data must be secured to the point that it is useless to a potential thief. Modern solutions such as tokenization provide better security than encryption, while retaining usability for analytics and monetization. Studies have shown that users of data tokenization experience up to 50% fewer security-related incidents (e.g. unauthorized access, data loss, or data exposure) than non-users. With an objective system to verify security in place, and a strong solution to actually protect data rather than building walls around it, companies can be assured that they are actually secure, rather than just ticking a compliance checkbox.