Compliance != Security – the Titanic illustration

180px-Titanic-New_York_Herald_front_page

Dr Anton Chuvakin points us to NEWS FLASH! Titanic Was Compliant a post on The Guerilla CISO located here.

The theme of the post is that compliance is not security. Do yourself a favor and read the full post for yourself. It is about someone questioning how a failure could occur "even after smart people put their heads together and try to deal with the problem before facing a crisis" The example of the RMS Titanic is perfect:

 

 

I told her that the problem here was that the Titanic indeed did meet all of the safety requirements of the time. And that a big part of the problem was that the safety requirements were drafted in 1894 at a time when there were rapid changes and in the size and design of ships of this kind.

So, the bottom-line was that when the Titanic was reviewed by the safety accountants, they took out their check-list and went over the ship with a fine tooth comb. When the day was done the ship fully met all the safety criteria and was certified as safe.

Did you get that ?  The Titanic was compliant to the current safety standards of the time.

Think of this when you are reading through your SAQ or PCI DSS Audit Procedures – and understand that the PCI Standard is a baseline of controls to follow to protect cardholder data, you may need to go above and beyond these. Don’t feel that you are "secure" because you are PCI compliant, and don’t be surprised that PCI compliant entities can still have security incidents.  Your Risk Management program and practices should include addressing compliance, but compliance should not be your goal for "security."