I know we all have compliance fatigue. Some worse than others, but we all rue the day security became more about compliance and getting the rubber stamp than actually protecting something. The pragmatist in me continues to accept our lot in life and try to be somewhat optimistic about it. But at the end of the day, we (as an industry) pretty much suck at protecting things, and there are no real catalysts to change that.

How would that look on your home page?... Out the other side of my mouth, I can talk about how compliance (PCI specifically) has added a low bar to the practice of security. And in the absence of that (admittedly) low bar, lord knows what the situation would be. But that’s not the point. It’s about making sure organizations consistently do the right thing. And that customers know that’s the case.

I’m intrigued by a concept put forth by Lenny Zeltser, talking about a Letter Grade for Information Security. The idea is modeled after how NYC inspects their restaurants. Basically folks who get the highest grade only get assessed annually. Those sucking need to be assessed more often. Best of all, they all need to post their grades in public where their customers can see them.

Can you imagine if a big retailer failed an assessment and had to post on their high-traffic website that they had issues? Kind of like making them wear the proverbial Scarlet Letter. That would be cool, and would also create a real disincentive to screw up an assessment. And maybe that would be the catalyst to start doing security right.

Of course, this assumes a bunch of things:

  1. The bar is high enough: We consider PCI the bar, mostly because it’s the most detailed. But we need to figure out how much security is enough. And what set of guidelines best reflect that level – which is likely to change based on the organization’s size and transaction volume.
  2. A set of objective ratings: What is a “C” when evaluating a restaurant? No rats feasting in the pantry? I’m sure there is a long checklist and associated rating system. As Lenny points out, right now PCI is binary – you either pass or fail. I don’t suggest a FISMA style rating scale – that works so well – but we do need some means of measuring success and providing a grade.
  3. The assessment isn’t a joke: We’ve all heard about the unholy alliances between QSAs, their firms which provide all sorts of other services, and customers. Feels a lot like the old days when a public audit firm sold a crapload of consulting to customers they audited. Amazingly enough, the late Arthur Andersen gave firms like Enron a thumbs-up because they’d lose out on millions of other billings if they didn’t. Today a QSA is not prohibited from selling other products/services to company they assess. We need true objectivity for this to work.
  4. Mass market coverage: Assessing Tier 1 and even Tier 2 merchants is a no-brainer. There are thousands of Tier 3 and millions of Tier 4. How do you address the mass market? Self-assessment? See the previous bullet about the assessment being a joke. But much of today’s fraud targets these small fry (as the big folks get incrementally better at protecting themselves), this large swath of territory must be factored in.
  5. Truth in Advertising: What happens when someone fails a PCI assessment? They argue about it, which pushes back the date when their situation would cost them money? In Lenny’s example, NYC makes them post either the current grade or a sign saying grade is pending. That’s kind of interesting. We need to make sure companies come clean about porous data protection policies. Kind of like an extension of today’s disclosure laws. So customers are notified when organizations holding their personal information fail an assessment, whether there is data loss or not.
  6. Oversight with teeth: When did separation of duties take off? Basically when Sarbanes-Oxley made it clear a senior exec would go to jail if they screwed it up. We need similar oversight for security. Yes, this would be need to be legislated, and I’m fully aware of the ramifications. But how else can you create enough urgency to get something going?

Or we could just continue on with the status quo. Since that’s so great.

I’m not saying any of this is practical, and it’s kind of half-baked on my part. But parts of it may be workable. Like Lenny, I understand that this discussion brings up more questions than answers. But I am (like you) pretty frustrated some days about what we call success in security nowadays.

And thanks to Lenny Z for once again providing great food for thought.

Photo credit: “Hester Prynne” originally uploaded by Bill H-D