CSO

A few weeks ago I posted a blog about my new super power, being able to see non-compliance. One of the comments after that post hinted that auditing and the need for compliance was nothing more than a money making scam, and the DSS (and other standards) do nothing to really secure companies, but rather to artificially create a market to allow some, like myself, to “make money off the scheme.”
 
This got me to thinking: Does compliance matter? Would companies be better off with custom tailored one-off security counsel from a security company? Do the DSS and other security standards actually make the world a safer place?
The answer to all three of these questions is yes.
 
Compliance does matter and the DSS is making a difference. If a company sees the very real risk of being insecure they will stand to become significantly more secure if they can afford to take the time and effort of a security assessment, and even better a partnership with a professional security company, than simply adhering to a standard.
 
Unfortunately, many companies have not “seen the light” and continue their business as insecurely as they did before cyber crime was hitting newspapers across the country nearly daily. These businesses may not see the return on investment that security can bring, or they may not know what to do. These businesses need a guide, and when they cannot partner with a professional security company to help answer all their questions about security they can use a standard, like the PCIDSS, SOX, and HIPAA to help guide them to a state of relative security.
 
These standards are far from perfect, but they are much better than nothing. These standards can help open the door for more security aware decisions to be made in future revisions and choices.
 
--Joe Basirico