EXPLORING THE INTERSECTION OF COMPLIANCE AND SECURITY
With cyber security increasingly gaining attention at the boardroom level, many organisations point to their compliance efforts as proof that security sits high on the business agenda. The reality, however, is that a security program should extend far beyond compliance requirements. While compliance standards set the stage for protecting personal data, by no means are they a sufficient measure of security, as evidenced by the number of compliant organisations that still get breached.
Standards cannot keep up with attackers, nor are they intended to. Nearly all of the standards were developed to motivate a large population of organisations with subpar security to improve and, in turn, increase the difficulty and cost for attackers seeking to obtain private data.
But where exactly do compliance and security intersect? Let’s start by looking at PCI DSS requirements as they relate to common attack methods, and then examine best practices for remediating risk.
PCI DSS: by the numbers
The Verizon 2015 PCI Compliance Report shines a light on how well organisations are implementing and sustaining security measures. On average, organisations were compliant with 93.7 percent of PCI DSS requirements in 2014, up significantly from 52.9 percent in 2012. However, a perfect score (100 percent) is required to be validated as fully compliant – a feat that was only managed by 1 in 5 companies.
Jul-Sep 2015 Issue