One should not assume that being compliant means your infrastructure is an unsinkable ship. What compliance does is set a benchmark for monitoring your security at a particular point in time. PCI-DSS has been successful is highlighting the problem of unsecured credit card information and providing companies with a framework to store that information more safely. By itself, it's not enough - but it's a great place to start.
However, PCI-DSS also drives a lot of security spending. With merchants being fined more regularly, organisations have begun to invest heavily in better security around credit card data. Meanwhile, the top management of organisations see that investment and expect the money spent to benefit the business overall. They equate compliance success with good security, and that is a problem. Too often, passing a PCI-DSS audit creates a false sense of security within the organisation, especially among senior stakeholders. What they need to understand is that security is an ongoing process. Technology and its threats evolve at such a rapid pace that a part of your network thats secure today could easily be at risk tomorrow.
Do you see a switch happening from credit cards to mobile-based payments in the next few years? How will this switch influence the current security infrastructure and setup? What will need to change?
Mobile usage is on the rise along with adoption of these devices as part of a corporate standard. This can bring further security challenges naturally as smart phones of today are almost mini computers that require just as high a level of attention as the desktop. Capabilities such as mobile-based payments will continue to increase thanks to banks providing either mobile-optimised websites or their own apps. Retailers will also be able to better process payments from a variety of mobile-initiated means.
Its important to point out here that the security awareness hasnt changed. Most of the principles in use today within an organisation still apply to these newer devices. Additional technologies will be required over time naturally to help secure these new methods of communication. However, the overall goal of keeping your organisation secure should not change simply because of a new technology it should be reinforced all the time.
Generally, how can compliance set a benchmark for monitoring an organisation's information security?
Compliance initiatives are an important starting point for security teams to do their job to the best of their ability, but they cant replace regular and thorough analysis of insider/outsider threats, and careful attention to closing holes in security processes. Both security and compliance are 24x7 initiatives, and senior stakeholders need to ensure that budgets and resources are available to make this happen.
Sign up for CIO Asia eNewsletters.