In this third part of Schneier and Ranum's Face-off at ISD 2009, the two security pros address questions surrounding how security and compliance interact, and how to get executives to care about security beyond simple compliance.
Check out other topics in this series:
- Part 1: The future of information security
- Part 2: Social networking
- Part 4: Cybersecurity coordinator
- Part 5: Security metrics
- Part 6: Audience questions
Read the full transcript from this video below:
Schneier-Ranum face-off, part 3: Compliance and security
Bruce Schneier: You don't get past it. You can't get past it. Compliance equals security as far as your boss is concerned. You have to live with it. Compliance is the best stick you have to go to your boss and beat him over the head and shoulders and say, "Give me more money for security," compliance, sorry. You say that, and you get to improve security, which you know is the good thing to do, as you improve compliance. There's no getting around it. This is the world.
Marcus Ranum: And of course, this is where I have to disagree. I mean, he's right, but in a reasonable world, and there have been times in my career that I've actually worked for good management where I've been able to go to them and say, "We need to do this thing," and they go, "OK. Do it." Or, "This is a bad idea. Don't do it," and they go, "OK. Let's have some meetings and we'll figure out how else to do it."
More resources on compliance and security
Get guidance for managing compliance with security standards
Learn how data protection laws impact compliance
Read about how compliance and security can work together
I think that ultimately what's happening with this compliance thing is it's a sign that a huge piece of the management structure has just thrown that whole problem out the window and said, "Basically, we don't trust you security guys any more, so what we're going to do is we're going to trust Visa and Mastercard's consultants instead of you, and they're going to give the check list that we're going to hold you accountable to."
Bruce Schneier: Or our auditors.
Marcus Ranum: That's right, and we're going to hold you accountable to that.
Marcus Ranum: The reason it's a tremendous mistake is because if you need PCI, if you're at the point where someone comes along and says, "We need to audit you for compliance against PCI," it means that you've been being a loser for the past 15 years. You should've done that stuff 20 years ago. If you had half a brain before you connected to an Internet, you should've had your log manager, your firewall, your change control, your intrusion detection capabilities.
All of that should have been in place before you ordered that T1 line, back when T1 lines still existed. Actually, I live in north central Pennsylvania where they still do exist. So, I think that if you're actually looking at this compliance as other than an exercise in, "Yeah, we do all that," it means that you're profoundly in error and have been for quite awhile.
Bruce Schneier: I don't think that it's really a valid question. It's not whether you want to deal with PCI or not; it's whether you're forced to or not. If Visa or Mastercard says, "You have PCI," you can't go back and say, "I don't want to." And you're not going to tell your boss, "OK. We won't accept credit cards." That's the thing about compliance. It's not a choice; it's compliance. The trick is how can you use these externally mandated regulations to improve security?