We’ve had PCI DSS discussion on our blog for 3 days in a row. That’s one heck of a tail-wind. Computerworld’s Ben Rothke has an interesting opinion piece today, “Battling information-security Stockholm syndrome.” Yesterday I mentioned that in my opinion, organizations fail to adopt or even take PCI DSS seriously because of the lack of incentive (carrot) or penalty (stick). Take it a step further and look at the example in Ben’s article where the CIO of the National Retail Federation says that “PCI DSS… was supposed to prevent [data theft] crimes…” further leading to the perception that PCI is a “failed” standard.

I wouldn’t go as far as Ben and say that organizations sympathize with the hackers, script kiddies, and identity thieves (as he suggests using the Stockholm Syndrome-label). IT shops aren’t sympathizing with the malicious underworld — they’re just looking for guidance with measurable results. It’s not surprising they become overwhelmed, frustrated and disillusioned by the reality of threat management.

The truth is that for most small retailers, PCI is the first time they have been subject to ANY IT regulation or standard.  Compliance in IT is a new concept for them, and most have neither budget or process in place to deal with it.

As good security professionals we know that there is no “Holy Grail” to prevent theft, DoS, etc. But we need to convince organizations that they need to take a more holistic approach to security, and that doing so isn’t “hokey-poky” or ambiguous. The threats are dynamic, and the mitigation needs to be just as dynamic and multi-layered (defense-in-depth).

The PCI Security Standards council needs to get out the stick, carrot and soap box and get to work before DSS gets a bad rap.

Filed under: Privacy, Security