Compliance Does Not Remove Risk, It Reduces Risk

Mr. Robert Gezelter recently posted a blog entry entitled ‘Securitization: A Risk To Compliance Integrity’.  It raises a number of issues that I will further expound upon in future blog entries of my own.

In his blog entry, Mr. Gezelter raises the point regarding the fact that data breaches are inevitable.  That is because, regardless of the security measures an organization puts in place, if someone REALLY wants to get the organization, they will take whatever measures necessary to get the organization.  Security’s goal is to minimize as best possible, the risk presented.  It is NOT perfect and never will be.  So we all need to get over the fact that security is not an end to the problem, it is a continuing journey.

Just look at banks.  Even with all of the vaults, alarms, video monitoring, dye packs and the like, they still get robbed.  Why?  Because the odds still favor the occasional criminal, i.e., the robber that only robs a bank once or only once in a great while.  And there’s the rub.  In order to be a ‘successful’ bank robber, you need to rob a lot of banks.  And that’s where the odds eventually catch up with the criminals and they get caught.

This is the way it will become with network security.  As we strengthen network security, it won’t necessarily stop the breaches, but it will lead to the solving of most of them.  Enough so that it will deter all but the most fervent criminals.

Those of us in the security industry need to better manage others’ expectations surrounding security.  We need to politely explain time and again that security is NOT the end, it is a continuing journey.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.


February 2009
    Mar »

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,941 other followers


%d bloggers like this: