Two stories this week grabbed my attention. First was Schneier's rather traditional take on the notion that no control is 100% secure. In this case, he is talking about locks and how they "aren't very good." To be honest, I was pretty frustrated at the black and white approach to something that is obviously mired in shades of gray. The goal for any control isn't 100% security, it is a reduction in risk. That is, a lock should reduce the potential of an incident (or its consequences), preferably by more than it costs. That is not a high bar to meet as the cost of locks in many cases is built into the price of doors (or cars, lockers, etc..). I also find it difficult to believe that people would stop locking their doors, especially in high-traffic areas – I believe there are many more opportunist criminals looking for an open door than there are professionals who know how to pick/break a lock.
The second story was the Heartland PCI story that took off with Bill Brenner's interview of CEO Robert Carr. My initial take there was that this was another instance where PCI was broken and we should pursue alternative methods of compliance like Andrew Conry-Murray's. In other words, I was making a black and white assumption based on my predisposition to dislike compliance audits.
Then I realized that I was doing the exact same thing I was frustrated at Schneier about – oversimplifying the nature of controls to a binary outcome of work/don't work.
There is a much bigger problem here than I was exhibiting cofirmation bias and being hypocritical in some respects. That is, we still don't know WHAT WORKS. We don't have a good definition of success nor do we have any evidence or results that demonstrate that controls WORK. This doesn't mean they don't work; it simply means we haven't done a good job proving it. (I had a similar discourse regarding Microsoft's SDL a while back).
My assertion is that locks "work" if (as I described earlier) the risk-adjusted amount of damages (or expected value of losses) is reduced by more than the cost (total cost) of the lock itself. Similarly, PCI "works" if the risk-adjusted amount of damages is reduced by more than the cost of the audit. (Note: In a previous take on whether PCI is working, I focused solely on a risk reduction without accounting for the cost of the control.)
Clearly, my bar is set much lower than complete security, but much more practically when it comes to determining appropriate controls for an enterprise program.
Update: After re-reading my post, I realized I was short on explanation about why the Robert Carr interview showed PCI was broken. I agree with everyone that said PCI isn't about catching that single compromise – that's not the point, the point is "compliance." But when you peel that onion, the real value all of a sudden disappears… compliance really *IS* supposed to reduce risk and perhaps it doesn't… subject to the criteria I laid out in the rest of the post.