Data breaches against large corporations are not anything new; however, in both 2014 and 2015 data breaches hit the world by surprise by the mainstream media coverage. Often executive leadership in any corporation has to determine their approach toward handling information security.
The big question of compliance vs security!
When information security is viewed as a sub-organization of information technology, often the bare minimum is the answer – regulatory compliance. However, if executive leadership values true information security and sees it as an operational organization they will strive toward a much different answer – security. In this case, the corporation will not only meet the regulatory compliance objectives but exceed them by doing good security.
Aside from the high-profile attacks in governmental, health, and financial services the industry learning the hard lesson regarding the difference between compliance and security is the retail, hospitality, and entertainment industries. One commonality these industries have is credit card transactions being stored and transmitted either through a point of sale or online often referred to as card not present.
All large corporations in retail, hospitality, and entertainment have to follow compliance based on the Payment Card Industry Data Security Standard, PCI DSS which is maintained by the PCI Council. The members of the PCI Council include American Express, Discover, JBC International, MasterCard, and Visa (“About Us,” n.d.). These payment brands along with vital members to the payment card industry have equal input into the PCI Security Standard and share the responsibility for enforcement of compliance (“About Us,” n.d.).
If these industries were complaint, why did they still get breached? Compliance vs security? According to Vikayan (2014), “The recent data breaches at Target and Neiman Marcus have once again shown that compliance with the Payment Card Industry Data Security Standard (PCI DSS) is no guarantee against an intrusion.” In the article, analyst from the research firm Gartner proclaimed: “The breaches highlight weaknesses in PCI and in the security industry” (Vikayan, 2014). The analyst further noted “nothing in the PCI standard would have helped Target detect and block the intrusion before it happened” (Vikayan, 2014). I agree with nothing in the standard would have helped target; however, I believe the crux of the issue relies between executive leadership and their decisions between being complaint or being secure.
About us. (n.d.). Retrieved January 18, 2016, from https://www.pcisecuritystandards.org/about_us/
Vikayan, J. (2014, January 24). After Target, Neiman Marcus breaches, does PCI compliance mean anything. Retrieved January 18, 2016, from http://www.computerworld.com/article/2486879/data-security/after-target–neiman-marcus-breaches–does-pci-compliance-mean-anything-.html