I was recently asked in a meeting of the minds to describe my view of the perfect world as it related to PCI DSS. For those of you who read my work often, you may notice a few themes that I continue to write about. I believe that security is a business problem and security professionals have historically done a poor job of quantifying information security risk in a manner that makes sense to a business person.

The world through a lens Project 365(2) Day 356, by Keith Williamson

In my perfect world, companies would understand the value of the information they use to drive their business, and they would protect or transfer risk accordingly. Sounds simple on the surface, but if you have been in business in the last five years and have more than 100 employees, this concept is much, much harder to quantify and document than it sounds.

The first day a company is in business, the processes and methodologies used to make money are relatively straight forward. As the company grows, more process and methodology is added in response to market changes, customer requests, or business owners getting stuck in the “anything for money” mindset. Day 100 of business is not nearly as clean from an IT and security perspective as day 1, and the view of the original plan progressively gets more diffuse from there.

This problem gets even more complex as you start to add employees. Ten employees are pretty easy to watch over, and maybe even a fifty person shop can still have pretty tight controls over business process and the innovation to production timeline. What if your business prides itself on empowering employees to build creative new ways to cut costs or boost revenue? If any of this uses information to accomplish the goal, you can bet you have created a new area for bad guys to peruse once they breach your company’s security.

So what concepts describe my perfect world? Companies would know precisely where data lives, how it is processed, the systems it touches, and the third parties that could potentially impact the security of that data. They would build their business around minimizing the risk of using that data, maximizing the business value of the data, and they would outsource or transfer risk where appropriate. I can think of numerous examples where companies duplicate risky data and poorly manage the security around that data when they could easily use some other authoritative source1.

This post originally appeared on BrandenWilliams.com.

  1. PCI DSS anyone? []