Earlier in the month I gave a talk at the Info-Security Conference in Wanchai, defending the PCI DSS against claims that compliance is worthless and does not improve security. At around the same time, I had an article published that contained essentially the same argument (read the PDF here; original article here).
Every day, dishearteningly, I see more and more examples of the kind of businesses to which my presentation and article were referring. Specifically, the ones that are culpably negligent in terms of information security.
Check out, for example, this news story. Nothing particularly unusual about it, but I thought the merchant’s statement was especially illustrative of the kind of attitude of which I see so much. They portray themselves as utterly innocent victims of a “senseless” attack. Bullshit! A senseless attack is when someone randomly punches you in the face while you’re walking home from the pub. Heisting a load of cardholder data makes huge amounts of sense: it’s valuable. And they’re hardly innocent. Wearing a short skirt does not mean you are asking to be raped, but leaving your payment card database hanging out most certainly does mean you’re begging for someone to come along and make a copy or two.
But it’s okay: “authorities” say the attack wasn’t the result of any “wrongdoings” by staff or management. Bullshit again! Management are responsible for securing their data. They neglected to do so. That’s a good, solid piece of wrongdoing right there.
Now, I really don’t mean to single out this one small restaurant, but I see attempts to substitute investment in security with affronted and unconvincing protestations of innocence like this all too often, and that was what sparked my pro-compliance presentation and article.
I sometimes consult for businesses that have got sub-par security. The fact that they’re addressing their poor security absolves them of negligence. Businesses like the aforementioned restaurant are in a whole different league of shame. And so I’m proposing a new terminology for them. Based on Wolfgang Pauli’s dry observation that something can be “not even wrong“, I am choosing to label the security negligent as “not even incompetent”. After all, you can only be incompetent at something if you’ve tried it.