An interesting survey on PCI DSS compliance was recently published by the Ponemon Institute.  There are many interesting findings in the survey some of which I summarize here.

One thing that strongly comes out is that though PCI DSS compliance is perceived as contributing to an organization’s security posture, cost factors are pestering. 60% of the respondents have said that they do not have sufficient resources to manage PCI DSS compliance even though it seems they are spending one third of their security budget on PCI DSS compliance. Another interesting and equally troubling data point that comes out of the survey is that 71% respondents say that their organizations do not have data security as enterprise level strategic initiative. No wonder TJX type breaches happen!

The data security problem is going to only get harder in the future as new networking technologies evolve; most notably wireless and Web2.0. In fact, already 38% percent respondents in the survey have said that that they think the most serious security threats are located in wireless devices. Rightly, PCI DSS has also added wireless scanning control into the compliance pack.

So it is clear that we need low-overhead enablers for organizations to achieve and maintain PCI DSS compliance. At least for wireless PCI DSS compliance, we at AirTight have developed a hosted wireless scanning solution to make PCI DSS compliance cost effective and effortless. Would like to hear from others what they think are the ways to help organizations achieve compliance without much cost and complexity.

Hemant Chaskar Compliance, PCI dss, hosted, PCI, SaaS, scanning, spectraguard online, wireless

Do you believe that IT security in private enterprise is a national security issue? I do and would love to hear your thoughts. You might want to take a look at the Airport WiFi and Financial District wireless vulnerability studies that AirTight performed recently to see just how badly some organizations are following b est practices when it comes to wireless security.
It appears that in some quarters folks felt that the President did not tell us anything we did not know in his speech on Friday about cyber security.  I think we need to understand, however, that the key phrase there is “anything WE did not know.”  At times we who work in technology live in a bubble and assume that everyone understands what we understand.  But technology or cyber security is our business – it is not the core business of the financial institution, the hospital, the school, the utility etc. Read more…

Della Lowe Best practices, Wireless security cyber security, President Obama, security policy, wireless