RSA Europe 2012: PCI compliance deflects attention from more important security risks

Josh Corman at RSA Conference Europe 2012. All rights reserved by RSA Conference
Josh Corman at RSA Conference Europe 2012. All rights reserved by RSA Conference

Akamai’s director of security intelligence explored the question during a keynote address to the RSA Europe audience in London this week. Perhaps a more fundamental question according to Corman is how can the industry measure its progress in dealing with security threats? More breaches and an increasing pool of adversaries means that while security professionals may be employing more resources to deal with risks, the dangers they face appear to be growing at a faster rate than their ability to deal with them.

Blame gets spread around when a data security mishap occurs, Corman observed. Organizations point the finger at their security technology vendors, or nation-states like China. For him, though, the widening gap between defenders and offenders comes down to focus.

“We used to spend 100% of our security time solving for the threat. Right around the time of the rise of PCI, we distracted ourselves from focusing on who was actually attacking us”, he lamented.

To many organizations, in his opinion, are placing an overwhelming amount – if not all – of their security resources into passing PCI audits, rather than combating the problem of malicious threat actors. “The auditor became the attacker…we now solve for the guaranteed threat actor – the auditor or QSA [qualified security assessor]”. Corman insinuated the auditor has now become a “proxy for threat” that has garnered most of the resources in many organizations’ security budgets.

Yet, it’s not the auditor who is the enemy, and the number of adversaries seeking to infiltrate organizational data continues to grow each day. A case in point is the emergence of hacktivist groups like LulzSec and Anonymous, as Corman relayed. These groups, he said, have grown out of a response to cultural and economic climate changes. “We have more adversaries than we have ever had, so we are not getting better on [this] front”, he said, adding that most organizations do a fantastic job of addressing one particular security issue – for example, PCI compliance – at the expense of ignoring other perilous risks.

Corman said organizations need to ask themselves one fundamental question: Why do you do security? Or, in other words, what are you trying to protect, and how “replaceable” are the things you are currently trying to protect. He asserted that most organizations spend 95% of their security budgets on protecting card data, which is actually a low-value proposition because fines related to breaches are minimal when compared to risks that accompany the compromise of other key assets.

“Look at how much money you spend to confirm to PCI compliance”, he asked the audience, “when your not spending a penny on [protecting] your trade secrets, which keep you in business and drive your profits. You’re not spending a penny while seeing your intellectual property hemorrhage out of your organization.”

To support this assertion, Corman recalled that he use to keep track of Fortune 100 companies that admitted to suffering loss of intellectual property data. Once he tallied admissions by 86 of them, he stopped keeping track, simply assuming they had all suffered a similar fate.

“This is not fiction, this is not FUD, this is not scare tacticts”, Corman assured the audience. “It’s happening…and I would suggest that we start trending towards this. Things like computer viruses affect the performance of our IT assets, he said in conclusion. However, in his opinion, theft IP and corporate trade secrets are infinitely more damaging because they affect the business bottom line and should be of far greater concern to security professionals.

What’s Hot on Infosecurity Magazine?