I recently read an article in eWeek by Fahmida Y. Rashid “PCI-DSS Compliance Helps Prevent Data Breaches Despite IT Doubts: Survey”.
So who are the people who remain skeptical about the security effectiveness regulatory compliance? Probably those people who believe the accounting, engineering, and medical industries should have no regulatory compliance either.
Let’s face it, information technology is a relatively new field and has begun to standardize itself with regulatory compliance in some key areas like privacy and the use of payment cards. Without it, how can an organization assure the public, its customers, and business partners that they are not putting their information at risk?
Well of course there are those running their organizations’ IT Security programs very well; most likely using some type of standard similar to ISO 27001 to baseline themselves. Which is great and they very well might be very secure and doing a great job. Compliancy helps to achieve this in needed areas.
I have not met one senior IT person (CIO, Director/Manager of IT) that doesn’t believe in securing there organizations’ assets. Many look at regulatory compliance as a positive step forward. Many times, budgets will not present themselves without something like regulatory compliancy to drive their IT security projects forward.
Standards like PCI & NERC are put in place to help ensure that we are being protected. Like any compliancy program it has its positives and negatives; however, I believe the positives out weigh the negatives.
Each year I see more and more demand from clients to understand how they can reassure their senior management that they are using industry best practices measured by some standard. IT security is a very complicated and evolving paradigm. With so many avenues for an intrusion to take place it is my belief that standards and compliancy are a healthy step forward in the IT security industry.