« Hey McAfee – sorry doesn’t cut it! | Main | The Boston Massacre 2009 »

August 06, 2009

Do SMB’s (or others even) want to move beyond the checkbox?

There has been much discussion lately about the fact that being PCI compliant does not necessarily make you secure.  The simple answer is of course it doesn't. It does make you compliant perhaps, but not truly secure. The regulations were meant as a minimum, not as the be all, end all.  But with that being the case, what makes you think that most businesses, especially SMB’s give a hoot.  For most of these people being compliant is where its at.  They have not budget or will to move beyond that whether it be SaaS, MSSP or anything else.

So it was with a chuckle I read Steve Smith’s Alert Logic blog post on how and why SMB’s should be moving beyond checkbox compliance. Steve what makes you think they want to? In fact the evidence is overwhelmingly that they don’t.  Once you get past Steve’s somewhat annoying incessant Alert Logic selling (hint: Steve be a little less “sales-y” in your blog posts), Steve reverts to a FUD argument.  Citing the Pokemon (spelling mistake intentional on my part) Institute, Steve talks about how expensive a data breach can be.  But my experience is that most SMBs and even larger companies don’t believe it will happen to them. Getting them to spend money based upon the fact they could suffer an incident is a tough sell in the current economic environment. It is the herd mentality. They know someone is going to get burned, but there are so many, what are the odds of it happening to them.  It is only after the fact that they believe it can happen to them.

Here is the bottom line: The best customer for a security vendor – product, SaaS or MSSP (and Steve MSSPs give customers control over their security too, if they want it, which is a whole other story) is one who has already had a security breach.  They get religion real quick after an incident.  But trying to convert one who has not had an incident is better left to missionaries.  In other words, companies are told they have to meet PCI guidelines to do business. That is the bar they are going to aim for.  Asking to them go beyond that is pushing rope up the hill I am afraid.

Related articles by Zemanta
Reblog this post [with Zemanta]

Posted at 10:48 AM in compliance |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83451e4d369e20120a5247b27970c

Listed below are links to weblogs that reference Do SMB’s (or others even) want to move beyond the checkbox?:

» PCI Compliance Around The Web from PCI DSS Compliance Blog
It’s been an interesting couple of weeks in the PCI compliance world, with no shortage of aspersions cast toward PCI standards specifically, and the payment card industry in general. PCI proponents, though, aren’t taking the criticism lightly, choosin... [Read More]

Tracked on Aug 18, 2009 12:44:28 PM

Comments

My Photo

Subscribe to my blog

Enter your email address:

Delivered by FeedBurner

Lijit Search

Blog Networks

Creative Commons License
This work is licensed under a Creative Commons Attribution-Share Alike 2.5 License.

Search

Lijit Search

Attend a Computer Forensics Boot Camp to better your skills and become a better worker

Categories

Track my blog stats

Blog powered by TypePad
Member since 10/2005

About