Report Card: 2007 Incite #10 - Time to get PC(I)

So this is it. The final Incite for 2007. Overall, I think I did pretty OK, given how dicey it is to predict anything. I'm a bit ahead of the curve on some things - but I'm good with that. If I'm not a bit ahead, then I'm not thinking hard enough.

Look for the 2008 Incites to appear in February, and then I can spend the rest of 2008 poking myself in the eye. Which I hope is good fun for you.

Incite #10 - Time to get PC(I)

PCI is the new SarbOx as unsophisticated CSOs continue to try to “buy” compliance. The lack of regulatory enforcement and increasing scrutiny by bean counters finally kill compliance’s golden goose and force CSOs to justify more security spending on something other than compliance. Pragmatic CSOs understand that a strong security program addresses compliance requirements, so they focus on warming relations with auditors and communicating their results in business terms to the business people that matter.

Days of Incite Link: http://securityincite.com/blog/mike-rothman/2007-doi-day-10-time-to-get-pc-i
Incite Redux Link: http://securityincite.com/blog/mike-rothman/incite-redux-july-13-2007

Final grade: D

I started the Incite Redux post with the following quote: “Much to my chagrin, compliance is still alive and well. This goose continues to lay golden eggs. Of course, the eggs are stamped with PCI, as opposed to other regulations – but it seems every time that compliance is on the ropes, a new set of legislation emerges from Mount Sinai to save everyone.”

PCI was that magic tablet in the hands of many auditors, whom continued to demand certain new capabilities (mostly database security gateways, application scanning and penetration tests) that saw growth in 2007. So I’m giving up the ghost on projecting the death of compliance. It’s just not going to happen, at least for a while.

So organizations need to be strategic in how they play the compliance card. Buy the things that are important for SECURITY, and will also make the auditor somewhat happy. Focus on reporting, since you will need to substantiate what you are doing. Yes, Pragmatic CSOs do see the value in a structured security program – that part is resonating. The idea of treating the auditor like a peer and communicating in business speak is spot on.

But compliance is the cat with at least 9 lives, and continues coming back for more. So I can’t feel good about giving myself anything higher than a D for this Incite because compliance continues to be alive and well. Very alive and very well, thank you very much.

I guess I shouldn’t complain too much because I personally continue to benefit from the fact that security is riding the compliance wave. Yet, I still feel bad because it’s not the right thing to do. Whatever, what’s right doesn’t usually correlate to what happens, now does it?

Once the PCI furor dies down, what will be next? I honestly have no idea, but I know it will be something. It always is, and just when you thought compliance was down for the count – it keeps storming back with a vengeance.

Maybe we can get Bruce Willis or Harrison Ford to star in the next compliance sequel. It seems those guys keep on ticking as well, so they are good role models.

Check out the other posts in the Report Card series.