 
|
|
In partnership with:
|
9 November 2007 Discipline blamed for non-complianceEleanor Dallaway, Washington DCLack of discipline is to blame for non-compliance with regulations and standards such as PCI DSS, according to log management experts at the CSI 2007 conference in November. “People are aware of the need for compliance, but the discipline just isn’t there,” said AN Ananth, president of US log management firm Prism Microsystems. “People always want to solve their problems tomorrow – but often tomorrow is too late, or maybe it never comes.” Ananth said that users are becoming better educated about the various dangers of non-compliance, but are not looking to resolve it. “No-one is disputing the need for security, it’s just all about jostling priorities.” Chris Smith, vice-president of marketing for Alertlogic, a US provider of IT compliance products, argued that money is often the reason for non-compliance. “People are trying to comply [with PCI] but most aren’t. The technology demanded by the standard is too complicated and too expensive for mid-sized enterprises. It’s these mid-sized companies that are suffering, because as an industry most companies target large companies.” Ananth disagrees. “It’s not that security is too expensive or even that the security products needed are absent. It’s just that people haven’t got around to it yet. Sadly, something bad normally has to happen to trigger the need to invest in security.” Both Ananth and Smith believe that increasing press coverage of non-compliance risks and security breaches is a blessing for vendors. “Well of course, if people see that this is happening, and want to avoid it, hopefully they’ll rush out and buy my great product,” said Smith. But Ananth maintained that the media can only help sales to a certain extent. “Fear, uncertainty and doubt will only take you so far. But after a while, if a security product doesn’t hold real value, then it won’t last,” he said. “Of course the media sensationalise these threats,” said Smith. “They like to talk about companies that aren’t compliant.” “The media plays on the public’s fear when it comes to information security. If the reader is educated, then they’ll get it and understand. Most readers are much savvier these days. For an uneducated reader, however, of course it’s going to invite fear,” said Ananth. “I think it’s only right that the media publish breach stories and news – people have the right to know. Especially when they are directly effected, for example like in the TK Maxx incident when people’s card details were lost,” said Ananth, who argued that the potential loss of credibility is one of the biggest motives for companies to comply. People are driven to compliance for different reasons, concluded Ananth, and as public companies “they have a responsibility to their stock holders”. Computers are now so integrated into every aspect of business that the price for non-compliance can far exceed the cost of installing security products to comply. “Compliance as a requirement is not likely to go away,” said Ananth. CSI 2007: Flawless ID doesn’t exist, says e-commerce specialist (7 November 2007) CSI 2006: US and UK government documents leak confidential data (13 November 2006)
|
|
