Mr. Robert Gezelter recently posted a blog entry entitled ‘Securitization: A Risk To Compliance Integrity’. It raises a number of issues that I will further expound upon in future blog entries of my own.
In his blog entry, Mr. Gezelter raises the point regarding the fact that data breaches are inevitable. That is because, regardless of the security measures an organization puts in place, if someone REALLY wants to get the organization, they will take whatever measures necessary to get the organization. Security’s goal is to minimize as best possible, the risk presented. It is NOT perfect and never will be. So we all need to get over the fact that security is not an end to the problem, it is a continuing journey.
Just look at banks. Even with all of the vaults, alarms, video monitoring, dye packs and the like, they still get robbed. Why? Because the odds still favor the occasional criminal, i.e., the robber that only robs a bank once or only once in a great while. And there’s the rub. In order to be a ‘successful’ bank robber, you need to rob a lot of banks. And that’s where the odds eventually catch up with the criminals and they get caught.
This is the way it will become with network security. As we strengthen network security, it won’t necessarily stop the breaches, but it will lead to the solving of most of them. Enough so that it will deter all but the most fervent criminals.
Those of us in the security industry need to better manage others’ expectations surrounding security. We need to politely explain time and again that security is NOT the end, it is a continuing journey.
PCI Guru 
3 Responses to “Compliance Does Not Remove Risk, It Reduces Risk”