A recent Ponemon survey found 71% of companies don’t consider PCI as strategic though 79% had experienced a breach. Are these companies assuming that a data security breach is cheaper than the security?
How should we understand the Ponemon survey.  Is PCI DSS a failure in the eyes of US companies?
Let’s put aside the technical weaknesses, political connotations and commercial aspects of the PCI DSS certification franchise for a second.
Consider two central principles of security – cost of damage and goodness of fit of countermeasures
a) The cost of a data security breach versus the cost of the security countermeasures IS a bona-fide business question. If the cost of PCI certification is going to be 1M for your business and your current Value at Risk is only 100k – then PCI certification is not only not strategic, it is a bad business decision.
b) Common sense says that your security countermeasures should fit your business not a third-party checklist designed by a committee and obsolete by the time it was published.
The fact the Ponemon study shows that 71% of businesses surveyed don’t see PCI as strategic is an indication that 71% have this modicum of common sense. The other 29% are either naive, ignorant or work for a security product vendor.
Common sense is a necessary but not sufficient condition
If you want to satisfy the two principles you have to prove 2 hypotheses:
Data loss is currently happening.

• What data types and volumes of data leave the network?
• Who is sending sensitive information out of the company?
• Where is the data going?
• What network protocols have the most events?
• What are the current violations of company AUP?

A cost effective solution exists that reduces risk to acceptable levels.

• What keeps you awake at night?
• Value of information assets on PCs, servers & mobile devices?
• What is the value at risk?
• Are security controls supporting the information behavior you want (sensitive assets stay inside, public assets flow freely, controlled assets flow quickly)
• How much do your current security controls cost?
• How do you compare with other companies in your industry?
• How would risk change if you added, modified or dropped security controls?

If PCI is a failure, it is  not because it doesn’t prevent credit card theft (there is no such animal as a perfect set of countermeasures) but PCI is a failure because it does not force a business to use it’s common sense and ask these practical, common-sense business questions
Danny Lieberman
Join me every Thursday for an online discussion of best practices – Register now