Experts continually highlight how security needs to be a top priority in a connected world but how often is it top of the list for companies? Andrew Kilbourne, Managing Director at Synopsys, said the percentage of companies passing security testing has fallen and, to add to this, compliance does not always lead to security.
It’s admirable that the payment card industry wanted to self-regulate itself and acted, creating the Payment Card Industry Data Security Standard (PCI DSS) to ensure anyone using their system remains secure. However, we’re witnessing a downward trend in organisations passing PCI DSS interim security testing.
According to Verizon’s 2019 Payment Security Report, out last November, the percentage of companies passing so-called “interim security testing” under the PCI DSS dropped by nearly a third from 2016 to 2018: 55% to 37%.
A decline this steep is more than just a worrying trend. Even at its highest level in 2016, barely more than half of companies handling credit card data were compliant during interim testing. Now, even that mediocre performance looks to be eroding rapidly.
It strongly suggests that, in spite of constant exhortations and warnings from experts that security needs to be a top priority in a connected world, it remains an afterthought far too much of the time.
Not to mention that many companies who have passed are still being hacked. In fact, if we look specifically at the financial services industry (FSI) as an example, according to the “2019 State of Software Security in the Financial Services Industry” report (an independent study commissioned by Synopsys and conducted by Ponemon Institute) the majority of FSI organisations are ineffective at preventing cyberattacks. More than half of survey respondents making up the data within this report have experienced system failure or downtime (56%) or theft of sensitive customer data (51%) due to insecure software or technology.
This goes to show that compliance doesn’t equate to security. Troy Leach, Senior Vice President of the Payment Card Industry Security Standards Council (PCI SSC), which created and oversees the PCI DSS, said the organisation has agreed from its start with the mantra that “compliance is not security.” He said it’s actually the other way around – that security produces compliance.
While the financial services industry is relatively mature in terms of its software security posture, particularly in comparison to other industries, many FSI organisations are grappling with a rapidly evolving technology landscape and facing increasingly sophisticated adversaries.
One element that doesn’t help is that the majority of FSI organisations conduct security vulnerability assessments only after software release, and organisations test only 34% of FSI software for vulnerabilities according to the aforementioned State of Software Security report.
Fifty-two percent of survey respondents said assessment occurs in the post release phase (32%t) or in the post production release phase (20%). Less than half (48%) said it occurs when their organisations are designing software (11%) or developing and testing software (37%). Only 25% of the survey respondents were confident that their organisations can detect security vulnerabilities in their financial software and systems before going to market.
One issue playing into this is that interim testing is usually conducted once a year by qualified security assessors (QSAs) or internal security assessors (ISAs). The assessors brought on to ensure PCI compliance often also do the security testing. It’s not a reasonable expectation for these PCI assessors to also develop a remediation plan. This presents a conflict of interest that has yet to be remedied by the industry.
This once-a-year formal testing expectation for the sake of compliance is neither proof that an organisation is secure nor is it a deep dive into an organisation’s security strategy. It is time-limited, scanning-focused, and high-level. There is no attention paid to architecture or a security program under which the software is built.
The largest financial services organisations around the globe, on the other hand, have embraced building software security programs. You also don’t see these names in news headlines in relation to massive data breaches, either. That offers a powerful message, a lesson in successful software security programs.
What’s the takeaway here? PCI DSS compliance is important; but enacting a proactive, continuous, holistic software security strategy-one that accounts for security measures throughout the software development life cycle-should lead the way. More organisations across all industries should embrace a culture of security and ensure that the issues identified during PCI assessments need to also be remediated. It is also critically important to note that while security isn’t a once-a-year exercise and there isn’t an organisation on the planet that can call itself 100% secure, security absolutely requires an on-going, consistent programmatic strategy that affects firms of all shapes and sizes.
