You don't have to look much further than the high-profile credit card losses or data breaches of the last few years to realize that companies are extremely vulnerable to data theft. Take Heartland Payment Systems or the U.S. Military Veterans for example, each of which lost upwards of 130 million and 76 million customer records, respectively. Surprisingly enough, some companies facing litigation over data breaches were/are PCI compliant, and yet are still left wondering why they've suffered from data loss.
Compliance mandates aren't flawless, and compliance in and of itself does not lead to better security, period. PCI mandates are simply guidelines that companies can (read: are required to) follow to improve their security against hackers and insider threats, but they shouldn't stop there. Companies should focus on taking security initiatives one step further than just meeting here-and-now compliance requirements, and provide customers with the highest security regarding their personal information. While simply getting the compliance "check box" is a tempting option to the overburdened IT professional or line of business manager, it's in the best interest of the company to use the budget allotted for compliance to go above and beyond what is required in the mandate. As long as companies and organizations need to comply, they should take the opportunity to operationalize an enterprise-wide security monitoring capability.
As an example, all companies looking to become PCI compliant have to undergo an audit-a standard practice-however, the reasons for undergoing the audit are really what is important. Surviving the audit simply to meet the check box is a bad thing; relishing the audit as a milestone to improved security is a good thing. PCI and other standards, such as NERC, are becoming more prescriptive, but even these mandates still teeter on the line of enabling companies to again simply achieve the check box. The prescriptive nature of some requirements, such as PCI DSS 10.6, can be passed in isolation, without meeting the broader goal of improved security.
For instance, the requirement states that companies should "review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion detection system (IDS) and authentication, authorization and accounting protocol (AAA) servers (for example, RADIUS)."
While this particular rule tries to drive the correct behavior, the rule can be simply validated by demonstrating a user-interface (UI) where logs can be read, or a report where logs can be historically viewed. The spirit of the rule is undoubtedly about using all of the log and information intelligence within a company to keep a vigilant eye over key information, like credit card data, so that security is preserved. In fact, one could argue that the rule should really demand a higher level of intelligence be derived from the listed log sources, not simply that review take place. Without using that intelligence, the technology deployed is not fully leveraged and the goal of greater security isn't achieved.
The reality is that no one can review all logs for all systems on a daily basis; even in the smallest companies that are subject to PCI mandates, this cannot be achieved. Therefore, the intent of the rule-better security visibility-isn't achieved. As a result, the implementation of technology to meet PCI standards should become more stringent, which will lead to better implementation of controls, rather than simply aiming to achieve the check box.
For those companies that are surpassing compliance mandates to better protect customer data, the benefits are endless. In addition to the avoidance of hefty non-compliance fees, companies are seeing additional business benefits from adhering to compliance mandates, such as more efficient operation of a secure network, and improved enterprise visibility, not to mention the millions of dollars they are saving by preventing data breaches and network attacks.