Someone today asked me what I thought of this article:
My answer was short: Obvious? PCI doesn’t work. NERC CIP doesn’t work. NIST standards don’t work. Anyone who says or implies that these companies just needed to do more is lying, trying to sell you something, ignorant, or a combination. Security as we do it, in the context of IT as we do it, in the context of business as we do it does not reliably do what we want it to do.
I know one thinks we should continue to admire the problem – we need action! But what if we’ve entirely failed to correctly identify and articulate the problem? :P
Someone else replied elsewhere with (regarding the standards/regs mentioned above):
“although they can be foundational for funding and building a good security program, they don’t work on their own.”
While that is true, a lot hinges on what “G.ood S.ecurity P.rogram” means. I’d argue that results from G.S.P.’s are regularly considered insufficient – i.e., Target *had* a Good Security Program and yet here we are.