The information security industry can sometimes fall into a rut when it creates and publishes requirements. Even in the corporate world we fall into these ruts. Go check out one of your build or hardening guides and see how much or how recently it has changed. In some respects, we don’t want to have drastic changes even when the world around us changes drastically because it makes it harder to meet those requirements. It’s that old “Your Security Rules are a Moving Target” chestnut.
An old mentor of mine once told me that “compliance comes and goes, but security is here to stay”. In some respects, I think compliance is the manifestation of a purpose-built set of security rules driven by some market response or regulatory need. By that definition, it becomes ephemeral by serving its purpose and being superseded at some date. You don’t even have to look that far back into the history books to see changes like this (Remember BS7799?)
Which brings us to our old friend, PCI DSS. Did you know that our fair standard turns TWO WHOLE HANDS this year on December 15? Through all the years including the 6th version of the standard (don’t forget v1.2.1), the standard has stayed relatively constant. Technology demands such as the ease of hacking WEP pushed changes in Wi-Fi deployments and process demands such as maintaining a list of in-scope devices are welcome and necessary, but ultimately are just minor modernizations of the standard as opposed to overhauls. Yet, we still see breaches significant enough to call its effectiveness into question (or at least significant enough for various Council staffers to defend it in front of Congress and in the press).
The solution to this problem is neither easy nor painless. Changes to the Standard, how it’s enforced, how it’s assessed, or even the underlying payment systems are all possibilities but become daunting when you consider the number and independence of each party playing in the ecosystem. My challenge to those involved is to consider the Art of Inquiry when trying to come to a solution. It’s the art of asking questions in the right way to challenge the status quo (if the powers at be decide the status quo is not working) and understand the best way to move forward (which, incidentally, could include inaction). Most importantly, it’s about the transparency of those discussions to promote understanding in the community.
If we decide to stay in the rut, we should know why that is and have good reasons for it. Being in the rut may not be all that bad, even if the general connotation of the phrase is negative. Realization that the rut does end in a brick wall somewhere down the line is critical to understanding the pathway forward.