PCI is the new SarbOx as unsophisticated CSOs continue to try to “buy” compliance. The lack of regulatory enforcement and increasing scrutiny by bean counters finally kill compliance’s golden goose and force CSOs to justify more security spending on something other than compliance. Pragmatic CSOs understand that a strong security program addresses compliance requirements, so they focus on warming relations with auditors and communicating their results in business terms to the business people that matter.

Read the rest of the 2007 Incites here [0].

I’ve been calling for compliance’s head on a platter for quite a while. Thus far, I’ve been wrong. Just when I think the gravy train is done – someone does something stupid, resulting in a new wave of legislation that then the security vendors can jump on and string out their compliance pipeline a bit longer.

But then a strange thing happened on the way to the treasure trough – basically none of these regulations have been enforced. The number of HIPAA enforcement actions is minimal, with penalties not even registering. In fact, it’s usually cheaper for a healthcare organization to just budget in compliance penalties rather then actually secure their infrastructure.

Now that’s scary, but true.

Sarbanes-Oxley runs the risk of fitting into the same category. Sure, we are still pretty early in the game, and the auditors make loud noises and grunt a lot about failing the examination – BUT WHERE’S THE BEEF? Where is a CEO’s head on a stick for bungling an ERP implementation? Until the SEC sends a high profile CEO on a perp walk, SarbOx will remain an empty suit.

Much to the chagrin of all the vendors out there trying to remain in the bandwagon.

But that brings up the regulation de jour – PCI DSS (Payment Card Industry Data Security Standard). Basically PCI is Visa and MasterCard’s power play to divert some of the risk of identity theft and fraud onto the banks. The banks then get to beat down the retailers in turn. Shit flows downhill and retailers tend to live in a pile of the slop.

Thus far, PCI has been an empty suit as well. We’ve “heard” of the beginning of costly enforcement actions, but all of this stuff has been handled in the back room. More like a bad guy disappearing in the middle of the night, as opposed to being executed in the public square. Unfortunately, in order to make a statement a retailer needs to be drawn and quartered in a very public fashion. Maybe it’ll be TJX, but thus far it’s been no one.

So now comes the rub. Even if a retailer (or anyone else) wants to comply with PCI, what the hell does that mean? Relative to HIPAA and GLBA, PCI is crystal clear. But that still makes it about as clear as mud. As with every other type of regulation, a vendor feeding frenzy ensued to position every security widget at the panacea to achieving “compliance” with the regulation.

For a little while, the way PCI was structure was actually pretty good and made it relatively clear where the line would be drawn relative to network and data protection. But then they introduced this concept of “compensating controls” back in November. That really screwed things up. Why? Because basically it gives every vendor a way to spin how their stuff offers an alternative to the right answer of actually protecting the data.

No less than 5 vendors talked about how they achieved PCI’s compensating controls language in my 10 meetings at RSA. That’s 50% for your math majors out there. And the other 50% were asleep at the wheel. These folks came from lots of different places, including NAC, UTM, leak prevention and database monitoring. Starting to get the picture yet? With the compensating controls clause, PCI is no clearer than any of the other regulations out there.

What to do if you are a customer? Nothing new here, just focus on executing your security program – which will provide you with the documentation to prove that you are compliant with whatever you regulation you are worried about. Sounds too easy, no? It’s not easy at all, but it’s the proper path. Continuing to focus exclusively on compliance is a fool’s errand.

Not to continually flog my own stuff, but the Pragmatic CSO process (www.pragmaticcso.com) is all about building a security program and ends with a chapter on compliance, which recommends a different approach than you are used to in dealing with your auditors. Check it out. You’ll thank me later.