In today’s environment of financial crisis, the tradeoff managers usually make is coverage against cost. IT and corporate management are more concerned with reducing outsourcing costs and cutting back on professional services instead of achieving and sustaining technical excellence in security and compliance. Technical superiority in IT security will not enlarge your market share or improve profitability.
I started thinking about different kind of tradeoffs after stumbling on MilkyMist today: tradeoffs between compliance and simplicity/ technical excellence. The Milkymist project is an Open source hardware project developing a stand-alone device in a small form factor that is capable of rendering MilkDrop-esque visuals effects in real time, with a high level of interaction with many sensors and using live audio and video streams as a base.
While a lot of system-on-chip (SoC) designs put a strong emphasis on compliance with established standards, Milkymist favors simplicity and technical superiority over compliance
Is privacy and payment card compliance an effective data security countermeasure? The short answer is no. PCI DSS 1.3 compliance, whether SAQ (self-compliance) or with an external auditor (QAS) is not an effective data loss prevention system, as empirical evidence of data breach events like Hannaford Supermarkets shows.
But – I think the good news is that simplicity and technical superiority are cheaper in the long run than process compliance.
PCI DSS emphasizes that there is only one asset (a payment card + mag strip) and that if you don’t store payment card data – you are compliant to the card association requirements. With simplicity – no payment cards in the database, you’re compliant. For the rest of system security, we need the technical superiority part – locking down servers, enforcing strong passwords, patch management and a data loss prevention system to keep the “good stuff inside” and an IPS to keep “the bad guys out”.
See the OpenCores project for more about simplicity and technical superiority.