Bruce Schneier introduced, to me, the concept of security theater. The idea that much of what we see in terms of ‘security’ – TSA, Homeland Security, etc – gives us the illusion that something is ‘being done’ to make us more secure, but in reality does nothing – or at worst – makes us less secure.
I have grown to understand that regulation does much the same thing. And this has nothing to do with “government bad, markets good.” This is true because written rules are brittle, vague and unable to adapt to fluid situations.
I work for an organization that is bound by PCI guidelines – a private consortium of credit card providers that create security rules for companies that accept credit cards. (I told you that this wasn’t an anti-government screed.)
The concept behind the guidelines are well intentioned. Credit card companies are liable for losses due to the theft of credit card companies. Unfortunately, they don’t have control over the entire transaction. Retailers accept and store credit card numbers and have been one of the primary source for theft over the years.
But I can tell you with absolute certainty that these rules are not making retailers more secure. We spend a lot of time and money so that we can pass the audits. But little of this activity is actually making it less likely that credit cards can be stolen.
This isn’t to say that none of their rules should be followed – quite the contrary – most of them are simply common sense. But, some of them are:
a) Simply not applicable in our environment – but the rules do not distinguish between risk and no risk, they say that you must do X
b) Less risky than other holes in the environment. Every company has limited funds that they can spend on security (security is always a trade off between costs and benefits) and if we have a hole Y that has a 10% chance of loss and one Z that has a 1% chance of loss we will ignore Y in favor of Z if PCI hasn’t addressed Y.
The PCI – or any regulator for that matter – simply cannot know the details of every environment. We have a pretty good idea what our risks are, but we can’t address them because we are too busy engaging in the theater of making PCI think its all OK.
If the card issuers really want the retailers to take the risks seriously they need to create the incentives for us to really care. Make a retailers partially responsible for a breach. Let us decide where the risks and rewards are – if we have skin in the game we are going to be much more successful than you trying to guess what is likely going to be a problem.
This is true for other areas as well – don’t create rigid rules like SOX & HIPAA with rules that don’t actually address the problem you trying to solve. Make the failures expensive and the perpetrators culpable. The results will be far more successful.
POSTSCRIPT: Even knowing how many holes there are in most companies I fell safe using a credit card at almost any company. The breaches require several steps of compromise and are unlikely more often than not. Not impossible – but improbable.