Michael Dahn has written an interesting log on the Cost of PCI compliance
I think the more interesting question is, “Why is the cost of compliance so high?” The answer here is that companies do not look to reduce the scope of compliance before pulling the trigger on security. If business people drive the audit they look at cost and balance business requirements against security. If security people drive the audit they will secure the hell out of a bad business process.
I agree with his point, but I think he goes overly broad in his opinion, especially when he says:
“If security people drive the audit they will secure the hell out of a bad business process.”
I think that comment is directed towards primarily technical people, engineers even, who are asked to make things secure without any control of the business. You could say the same thing about someone asked to protect passengers in a car that may or may not drive over a bridge. What would you do?
There are in fact security people who can understand business, and vice versa, and sometimes they are even allowed to drive.
Davi, I haven’t talked with you in a long time and appreciate you clarifying this point. Yes, I do not mean to generalize all “security people” as I count myself as one of the. When I mean it that, security without direction and reason is not a solution.
Thanks!