According to Verizon, there’s an 71% chance that you are already out of compliance with your security guidelines – assuming you complied with security best practices in the first place. If not, the chances are higher. A few weeks ago, we did a security survey. I’ll share a little of that data, and how people’s perceptions seem to be out of line with the Verizon study.
Here are a few interesting numbers from the security survey:
- 78% were neutral, satisfied or very satisfied with their compliance
- 80% thought security compliance was very important or essential
It’s interesting that only 22% of those surveyed were dissatisfied with their compliance, and 80% of them thought compliance was very important or essential. If 71% of them are actually out of compliance, then I expect that close to 60% of those surveyed think compliance is important, are reasonably happy with their compliance, but they’re actually out of compliance.
The most common technique for judging compliance with something like the PCI-DSS rules are statistical methods – where you take a sample and see if it looks good. That’s the method used by auditors, and for the most part by penetration testers as well. So, even among the 29% who stayed in compliance, there’s a good chance that some of those wouldn’t hold up to more exhaustive scrutiny. Your attackers will be perfectly happy to do that more exhaustive scrutiny for you.
You Are Already Out Of Compliance
This reminds me of the opening scene in The Matrix where Agent Smith says “No Lieutenant, your men are already dead”. The officer doesn’t believe it – but indeed, his men were already dead. For you – the odds are that you are already out of compliance – but my survey says that, like the lieutenant, you may not believe it.
As I’ve noted before, getting in compliance is like eating an elephant. To stay in compliance you need tools that will automate exhaustively tracking your servers and tell you immediately when you go out of compliance. Without sophisticated automation, you are already dead — OK, maybe just out of compliance, but you get the idea.
If you’re interested in tools that will help you do this, then my suggestion is the Assimilation System Management Suite. We can help you intelligently triage compliance issues to fix the most important things first in the most efficient way. Afterwards, we can alert you immediately when your systems go out of compliance with your security guidelines – so you can stay in compliance.