Compliance vs. Security: a thought exercise

This post will be substantively shorter than most…it, truly, is a thought exercise.

I was sitting in the office of a colleague last week and we were discussing the mantra that many of us who deal with PCI Compliance end up repeating frequently. The statement, depending on situation, goes something like:

PCI Compliance is, simply, a milestone event. True security is about risk management.

Or, if you prefer:

Compliance != Security

As we were discussing this topic*, I was thumbing through the QSA training guide that is issued by the PCI Security Standards Council. As we looked at the materials, the discussion took a shift and we began a thought exercise that has been tickling the back of my brain for the last week.

If, for a moment, we could assume compliance (as a milestone event) was always the outcome of a risk-based approach to security…what is it that you would do differently than that which is mandated in the PCI requirements? What is it that the compliance process prevents, or inhibits, you from implementing as a risk-based control?

What’s your perspective? Agree? Disagree? Anything to add? Critiques? The comment form is below…

* Yes, this was done solely for enjoyment. We are just that into payment security…

December 16, 2009

4 responses to Compliance vs. Security: a thought exercise

  1. bradgarland said:

    Hey Tyler,

    Well looky there, now you guys are getting into my world. 😉 I totally agree that the traditional model of auditing once a year (milestones) is broken. We have shifted our perspective in this and moved to what we call “continuous compliance”. Instead of this one point in time mentality we instead work to ingrain compliance in everyday processes and distribute the workload across the year. Lastly, we've big fans of what the collaboration tools do to enable this type of process and see them going hand in hand.

    If you're interested, we did a video that talks about continuous compliance that we're pretty proud of located here: http://bit.ly/8Glen9

  2. tylerhannan said:

    Brad,

    Good to hear from you! I will have to agree that I love the way in which you've presented the information regarding continuous compliance in the linked video.

    The milestone approach is, definitely, not sufficient in adopting a risk-based stance. I suppose my query, in specific, was regarding PCI-DSS and what folk would choose to do differently than stated in the requirements if they did, in fact, not have to worry about compliance verification and instead only focused on risk.

    For me, the difference in activity would seem to be rather minimal…at least notionally.

  3. bradgarland said:

    Hey Tyler,

    Well looky there, now you guys are getting into my world. 😉 I totally agree that the traditional model of auditing once a year (milestones) is broken. We have shifted our perspective in this and moved to what we call “continuous compliance”. Instead of this one point in time mentality we instead work to ingrain compliance in everyday processes and distribute the workload across the year. Lastly, we've big fans of what the collaboration tools do to enable this type of process and see them going hand in hand.

    If you're interested, we did a video that talks about continuous compliance that we're pretty proud of located here: http://bit.ly/8Glen9

  4. tylerhannan said:

    Brad,

    Good to hear from you! I will have to agree that I love the way in which you've presented the information regarding continuous compliance in the linked video.

    The milestone approach is, definitely, not sufficient in adopting a risk-based stance. I suppose my query, in specific, was regarding PCI-DSS and what folk would choose to do differently than stated in the requirements if they did, in fact, not have to worry about compliance verification and instead only focused on risk.

    For me, the difference in activity would seem to be rather minimal…at least notionally.

Leave a Reply

Your email address will not be published. Required fields are marked *