http://itknowledgeexchange.techtarget.com/security-bytes/hannaford-and-the-industrial-compliance-complex/ A SearchSecurity.com blog Fri, 27 Nov 2009 01:01:23 +0000 http://wordpress.org/?v=2.6.2 http://itknowledgeexchange.techtarget.com/security-bytes/hannaford-and-the-industrial-compliance-complex/#comment-521 Erik Schetina Mon, 07 Apr 2008 13:09:06 +0000 http://security.blogs.techtarget.com/2008/04/03/hannaford-and-the-industrial-compliance-complex/#comment-521 I think that the criticism of the 'compliance mentality' is a bit misplaced. I began performing security assessments before there were any standards, and I've personally conducted scores of PCI, HIPAA, and ISO17799 assessments. In my experience, the result of these standards has been to dramatically raise the level of security in every organization that I've worked with. Remember that there are literally hundreds of thousands of merchants taking credit card transactions. Moving merchants from using unencrypted, unauthenticated databases, unpatched ecomm servers, no logging, etc., to a compliant status where these measures are used, well, it's an enormous step. Any security professional worth his salt will tell you that security is about managing risk, and there's never going to be a point where businesses have 'perfect' security. Having business obsess over compliance may not be a good thing, but remember that prior to forced compliance, businesses often didn't give a hoot about implementing real security measures, didn't believe that it could happen to them, and did far less than they do today to protect themselves and their customers. Compliance has definately raised the bar on security industry-wide, and that's a very good thing. I think that the criticism of the ‘compliance mentality’ is a bit misplaced. I began performing security assessments before there were any standards, and I’ve personally conducted scores of PCI, HIPAA, and ISO17799 assessments. In my experience, the result of these standards has been to dramatically raise the level of security in every organization that I’ve worked with. Remember that there are literally hundreds of thousands of merchants taking credit card transactions. Moving merchants from using unencrypted, unauthenticated databases, unpatched ecomm servers, no logging, etc., to a compliant status where these measures are used, well, it’s an enormous step. Any security professional worth his salt will tell you that security is about managing risk, and there’s never going to be a point where businesses have ‘perfect’ security. Having business obsess over compliance may not be a good thing, but remember that prior to forced compliance, businesses often didn’t give a hoot about implementing real security measures, didn’t believe that it could happen to them, and did far less than they do today to protect themselves and their customers. Compliance has definately raised the bar on security industry-wide, and that’s a very good thing.

]]>