Last week the Verizon Risk Team released an interesting report in which, among other things, they compared breach result information against norms for PCI DSS compliance. I can't imagine anyone is really all that surprised to see that organizations suffering a serious breach also tended to be less compliant with the PCI DSS.
After that, things tend to get both a little more murky and well, a little more contentious. Because, we all know, correlation is not causation. The fact is they didn't have a breach because they were "less" PCI compliant than the other organizations. They were less compliant, however, because they were ripe for a breach.
Being PCI DSS compliant doesn't actually make you more secure, but if you can't make that bar, and plenty of people would say it's a pretty low bar, then you are, in the words of the immortal Jessie Ventura, "in a world of hurt".
I've often poked fun at the suggestion that somehow moving all this out to the cloud (wherever that magical, wonderful place may be) will somehow improve security. (Yes, really, there are people who say that.) However, I'm starting to wonder. The challenge for the organizations with mature, effective security processes that are deeply integrated into their business operations, is that losing some degree of control is unlikely to improve things overall. However when I see how poorly so many organizations are managing to secure credit card data (or anything else for that matter) I really start to wonder if this might not be a good thing. Maybe moving as much of the processing and handling of information off premises and into the cloud might not actually improve things?
I'd be curious to hear your thoughts. Speaking of curiosity over the cloud – there's a cloud security survey running at the moment on behalf of Credant (full disclosure – my employer). I'll include the link and you're welcome to give us your thoughts there too. After all, you're reading my blog, I think you deserve a chance to win that gift token at least as much as anyone else out there, right?