The future direction of data breaches

A few weeks ago, SANS' Internet Storm Center handler Marcus H. Sachs requested input from the community on what we feel will be the new trends in Information Security in the coming months. He was kind enough to quote an excerpt from my response:

Mike was maintaining a positive outlook when he wrote, "For years, organizations have been spending a lot of money on poorly-implemented or half-baked security solutions so they can check a box on an audit finding. At the same time, auditors have been providing findings of such poor quality that the information is nearly useless to their customers. I believe some of the recent high-profile identity theft cases will bring this to light, and hopefully improve auditing practices and force the hand of large organizations to *properly* implement security technologies."

I've been increasingly convinced of this in the weeks that have passed since I wrote that. However, there is another side to that coin: in order for bad but audit-compliant practices to be exposed, some colossal failures must happen. This week, we saw the first, with the theft of 40 million (yes, a 40 with 6 zeros after it) credit card numbers improperly kept by CardSystems Solutions. They were out of compliance of Visa and MasterCard standards, but had "recently" passed an audit (I believe the date they mentioned was 2003).

I have seen the Visa and MasterCard audits first-hand, and I have seen what "compliance" means. It means dusting everything off, putting together some reports to show that your organization was recently following the standards & practices agreed upon, panicking for a few weeks until the auditors leave, and then letting everything fall apart again shortly thereafter. Granted, my experience was only at one company, but the company was only "compliant" while the auditors were there. They were able to get away with it, and I suspect CardSystems Solutions did the exact same thing. Auditors are far too lenient on corporations, rubber-stamping compliance checks because the company has a "plan in place to implement" any security requirements not currently met. Plans that are surreptitiously ignored until the next go-round.

Less visible to consumers, and more visible to organizations, are the details of audit findings. These are littered with more false positives (or, audit findings that are incorrect) than actionable information. The data is poorly presented, voluminous, and very difficult to manage, with the exception of executive-level reports, of course. IT shops sink vast resources into addressing or proving invalid the specifics of these low-quality audit findings, resources that would be far better spent on bigger-picture projects like implementing technologies that will enable audit compliance or improve security in the future.

The injustice in this process, and its subsequent discovery and correction, is that consumers will have to suffer before their financial lives are improved.