Protegrity Blog

Compliance Does Not Equal Security

Author : protegrity

Among the myriad lessons from the Target breach, perhaps the most important is that “Compliance” does NOT equal Security. As Brandan Blevens of TechTarget recently reported, the Target breach lawsuit is pinning partial blame on the security vendor Trustwave. Target was certified as compliant according to all applicable regulations, and were discovered after the fact to have failed to meet many of the requirements. So how did this happen?

  • First, compliance is often used as a guide to the least possible amount of security necessary to comply.
  • Second, regulations are based on best practices to provide a baseline of security for past threats, not a solution to maximize security for the future.
  • Security auditors often come in selling a solution, rather than looking for a problem.
  • In other cases, auditors are paid to come in and find what they’re told to find by the very company they’re supposed to be assessing!
  • Many companies rely on access controls and firewalls for security, even though they consistently fail to prevent breaches.
  • SIEM solutions are fogged by noise and usually find evidence only after a breach has already occurred.

Many of the failures of data security today can be directly attributed to the negligence or ignorance of best practices for protecting data. The answer lies in independently verified solutions that protect the data itself. Decoupling the assessment from the solution is vital to an unbiased audit. I think that cyber insurance should play a bigger role in this scenario. The insurance premium level should be related to the types of security controls that the merchant implements. The insurance premium could reflect the quality of the security solution and that of the auditing performed. In addition, if breaches cannot be wholly prevented or detected in real time, then the data must be secured to the point that it is useless to a potential thief. Modern solutions such as tokenization provide better security than encryption, while retaining usability for analytics and monetization. Studies have shown that users of data tokenization experience up to 50% fewer security-related incidents (e.g. unauthorized access, data loss, or data exposure) than non-users. With an objective system to verify security in place, and a strong solution to actually protect data rather than building walls around it, companies can be assured that they are actually secure, rather than just ticking a compliance checkbox.

Leave a Reply

Your email address will not be published. Required fields are marked *

Download our Latest Insights

Categories

Subscribe Now

Archives