Are these companies assuming that a data security breach is cheaper than the security?
How should we understand the Ponemon survey. Is PCI DSS a failure in the eyes of US companies?
Let's put aside the technical weaknesses, political connotations and commercial aspects of the PCI DSS certification franchise for a second.
Consider two central principles of security – cost of damage and goodness of fit of countermeasures
a) The cost of a data security breach versus the cost of the security countermeasures IS a bona-fide business question.If the cost of PCI certification is going to be 1M for your business and your current Value at Risk is only 100k – then PCI certification is not only not strategic, it is a bad business decision.
b) Common sense says that your security countermeasures should fit your business not a third-party checklist designed by a committee and obsolete by the time it was published.
The fact the Ponemon study shows that 71% of businesses surveyed don't see PCI as strategic is an indication that 71% have this modicum of common sense.
The other 29% are either naive, ignorant or work for a security product vendor.
Common sense is a necessary but not sufficient condition If you want to satisfy the two principles you have to prove 2 hypotheses: Data loss is currently happening.
* What data types and volumes of data leave the network?
* Who is sending sensitive information out of the company?
* Where is the data going?
* What network protocols have the most events?
* What are the current violations of company AUP?
A cost effective solution exists that reduces risk to acceptable levels.
* What keeps you awake at night?
* Value of information assets on PCs, servers & mobile devices?
* What is the value at risk?
* Are security controls supporting the information behavior you want (sensitive assets stay inside, public assets flow freely, controlled assets flow quickly)
* How much do your current security controls cost?
* How do you compare with other companies in your industry?
* How would risk change if you added, modified or dropped security controls?
If PCI is a failure, it is not because it doesn't prevent credit card theft; there is no such animal as a perfect set of countermeasures.
PCI is a failure because it does not force a business to use it's common sense and ask these practical, common-sense business questions.