Solution Centers

DRILLDOWNS

Cloud Computing

Operating Systems

More

Analyst: PCI Security a Devil, 'Like No Child Left Behind'

By obsessing about PCI security compliance and spending money on overly complex and underperforming defenses, companies are ignoring risk management and making themselves a target of state-sponsored cyber villains.

Leave a comment

By Bill Brenner

Wed, November 04, 2009 — CSO — By obsessing about PCI security compliance and spending money on overly complex and underperforming defenses, companies are ignoring risk management and making themselves a target of state-sponsored cyber villains.

A Guide to Practical PCI Compliance

That was one of the main messages delivered by Joshua Corman, research director for enterprise security at The 451 Group, during that firm's 4th Annual Client Performance Conference Wednesday morning.

"Organizations have made PCI DSS and compliance in general the basis of their information security policies," he said. "They're basing security on sloppy logic from Visa and MasterCard and in the process are ignoring some very bad state-sponsored threats. As a community, we have not evolved at all."

He compared PCI DSS to No Child Left Behind, the education reform law championed by former President George W. Bush. The law has been criticized by some who believe it has stifled innovation in education and focused too much on standardized testing.

MORE ON THE PCI SECURITY DEBATE:

* PCI, QSAs, Hackers, and Slackers: Will the Real Enemy Please Stand Up?

* Unmasking DLP: The Data Security Survival Guide

* End-to-End Encryption: The PCI Security Holy Grail

It's a warning Corman has made before. In a recent interview with CSOonline, shortly before he left his previous job at IBM ISS, he outlined what he called 8 Dirty Secrets of the IT Security Industry, with compliance endangering security charting as the sixth dirty secret.

Compliance with such laws and industry standards as Sarbanes-Oxley and PCI DSS drives companies to spend far more on security than they might otherwise, he said. Security vendors have obviously seized upon this fact, offering products that do everything from offer PCI compliance out of the box to ultimate cure-alls for healthcare entities coping with the demands of HIPAA. Of course, this too leads to companies buying security tools that fail to properly address the particular risks they face.

"There are really bad people out there doing bad things and few pay attention to things like state-sponsored attacks and cyber warfare. This is because everyone's focusing on compliance," Corman repeated Wednesday.

He also warned that companies are driving over a cliff with obsessions over legacy security programs that are no longer effective and implementing the hottest new technology like cloud computing services.

See also: The Curse of Cloud Security

To the first point, he said, "Security professionals are the pack rats of IT. We hang on to the wooden shields -- firewalls and AV -- which don't really work against new threats."

1 | 2 |next page »

Comments

Print

LinkedIn

Security

More from IT Drilldown « Back to Security

Articles

Mozilla Exec Suggests Firefox Users Move to Bing, Cites Google Privacy Stance

HP Patches OpenView Vulnerabilities

Lack of Telework Preparedness Threatens Business Continuity

Postal Service Extends AT&T Managed VPN Pact

Facebook's New Privacy Settings: 5 Things You Should Know

Microsoft Knew of Just-Patched IE Zero-Day for Months

Facebook Users Speak Out Against New Privacy Settings

VeriSign Ensures Security in the Cloud

More Articles »

Mobile Security ABCs

Get up to speed on mobile security.

Learn More »

Security Newsletter

Security MarketSpace

The CIO's New Guide to Design of Global IT Infrastructure

Read this paper to learn the 5 key principles you can leverage to redesign an environment of any size. Learn more »

Eliminate Distance in the Virtual Environment

Virtualization has been the driver behind IT consolidation. Watch this Web Seminar to see the pivotal role application acceleration can play in eliminating distance, speeding remote disaster recovery and improve application performance in a virtual environment. Learn more »

Extreme Savings-Cutting Costs with Riverbed Solutions

Reduce Bandwidth Utilization. Learn how Riverbed can reduced hard costs while improving application performance... Learn more »

Forrester on WAN Optimization for Mobile Users

Forrester conducted interviews of more than 300 IT pros to understand the challenges they face as their organizations have become more mobile. Their experiences with WAN optimization and Forrester's recommendations will help you understand the criteria needed before choosing a WAN optimization technology. Learn more »

Five Steps to Successful IT Consolidation

WAN Optimization, Why Consolidate? This white paper provides 5 easy steps to help you map out a sound strategy. Learn more »

An In-Depth Look at ROI

Learn how to evaluate ROI in hard dollars and soft dollars with three key ROI metrics. Learn more »

The Case for Data Protection for SMBs

Email and Web Threats Require a Layered Defense

Learn how web threats are changing and how using a layered defense strategy can give you the security you need. Learn more »

WHITE PAPERS

Definitive Guide to Wide Area Data Services

Cut Costs with WAN Optimization

Forrester Research: Recommendations for Mobile WAN Optimization

Consolidation and Virtualization in 5 Easy Steps

Secure Email and Web-Based Communication from Evolving Attacks

Understanding Versatile Authentication and Its Benefits

Managed Security for a Not-So-Secure World

Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle

Managing a growing threat: An Executive's Guide to Web Application Security

Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities

IDC Q&A: The Mobile Workforce

Oracle Business Brief - Business Continuity - Are You Always Open for Business?

The Forrester Wave™: Web Filtering, Q2 2009

The Forrester Wave™: Email Filtering, Q2 2009

VIP Access for Mobile: Making Consumer Two-Factor Authentication Simple and Cost-Effective

Authentication as a Service by Forrester Research

Mining the Cloud to Ease the Enterprise Compliance Burden

Enabling Secure B2B Collaboration: Cloud-Based Authentication for Next-Generation Extranets

Solve Five Key IT Security Challenges with Cloud-Based Authentication

8 Elements of Vulnerability Management

More White Papers »

SPONSORED LINKS

Making Consumer Two-Factor Authentication Simple and Cost-Effective

Mining the Cloud to Ease the Enterprise Compliance Burden

Solve Five Key IT Security Challenges with Cloud-Based Authentication

IDC White Paper: CCM for IT Compliance and Risk Management

Keeping Your Members Safe from Online Scams and Predators

Learn about the growing threat of insider data theft.

Efficiency goes up. Costs come down.

Verint Systems. Discover the Power of Intelligence in Action"

Unified Communications: Thoughts, Strategies and Predictions. Join the discussion.

Return on Information: Google Enterprise Search pays you back

Cut Costs & Green Your IT Operations with PC Power Management

Webcast: Unleashing the Power of Customer Data

White Paper: Legacy Tools: Not Built for the Helpdesk

Taking a Seat at the Executive Table: The Reality of Virtualization

White Paper: Next Generation Remote Infrastructure Management

Seven Design Requirements for Web 2.0 Threat Protection

Cloud-Based Email Management: Opinion Shifts In Favor

Achieving Business Agility with Application Grid

Ready to virtualize tier one applications? Check your virtualization maturity.

Seven Ways ITIL Can Help You in an Economic Downturn

Tips for successful virtualization management.

Read about how to add efficiencies with Microsoft Virtualization.

Dark Fiber from Sunesys Save on Unlimited Bandwidth with Fixed Costs.

Masters of Virtualization and Cloud Computing - Daily News

Webcast: The Costs and Challenges of Supporting Today's Information Worker

Authentication as a Service by Forrester Research

Cloud-Based Authentication for Next-Generation Extranets

Mobile Security: The Essential Ingredient for Today's Enterprise

Secure Email and Web-Based Communication from Evolving Attacks

WagerWorks Takes Fraudsters Out of the Game using iovation

White Paper: A Security Blueprint Delivered From within the Network

Maximizing efficiencies with unified communications.

Cisco SIO To Go for iPhone. It's like having a security expert in the palm of your hand.

Upgrading to VMware vSphere with vWire

Maximizing website Return on Information with high-quality search

See how AT&T can help protect your network.

White Paper: 5 Best Practices for Smartphone Support

Global Research: CIOs Weigh In On Virtualization

5 Key Virtualization Management Challenges

The Total Economic Impact of Network Security Intrusion Prevention

Generation Remote Infrastructure Management - Changing the Paradigm

Lower IT Costs with Oracle Database 11g Release 2

White Paper: Visibility and the New Normal of Mobile Work

Taking the Service Desk to the Next Level

Learn about The Information Technology Infrastructure Library.

Five CIO challenges addressed by better change management

CA ARCserve r12.5 is More Than Backup! Download Trial Version Today

Secure & simplify your data center w/Juniper Networks.

Register for more Windows Enterprise Webcasts today.

Gartner Symposium ITxpo 2009: The World's Most Important Gathering of CIOs and Senior IT Executives

RESOURCE CENTER

© 1994 - 2009 CXO Media Inc.