Let me first refer to my honorary counsel AKA Wikipedia:
“Trophy hunting is the selective hunting of wild game animals……parts of the slain animal may be kept as a hunting trophy or memorial (usually the skin, antlers and/or head)……”
So the connection may seem somewhat abstract at this point in time but please indulge me and allow me to elaborate.
The purpose of hunting was to provide food for all the hungry mouths back home. As the human species has evolved and farming replaced the hunter gatherer, the purpose of hunting in most of the developed world became no more than a sport or an excuse to escape from the day to day drudgery of modern life and for “Man” to reassert himself as the dominant species.
Still not clear where I am heading with this, I beg of you for your continued patience.
Visitors to many Service Providers may well be aware of a plethora of badges and crests mounted above the corporate mantelpiece.
These are the modern day trophies of the IT industry and certainly brighten up the footer on the majority of communications we all receive (self-sent included).
So to get to the point.
IT Security Standards, and let me address the main targets in this hunting trip ISO 27001 and PCI-DSS.
Both very different animals and hunted by many.
Both are a good indication that the hunter can aim straight and certainly talk about it back at the lodge after a successful expedition.
But buyer beware!
“Working towards PCI-DSS compliance”, to be frank, means no more than me saying “I am working towards walking on the moon”.
Others may take this even further and hang the PCI DSS compliance trophy firmly on their wall, when in fact they have only been tested against points 9 and 12 of the standard which address the physical security of the site and bit about having a security policy.
This means no digital access to those systems that transmit, process or store credit card information is permitted for employees of that organisation, not much good if they are providing or proposing to provide a managed service to you.
ISO 27001 is all too often only scoped out around the data centre and does not include any of the operational functions or people in the organisation, therefore there is no requirement to provide any sort of security awareness training to operational teams.
Trophy Hunting. At its best could be considered misguided, at worst downright deceptive and dangerous.
All standards to my mind, whether IT Security related or otherwise should be the result of the beliefs and therefore the culture of an organisation.
If behaviour is defined by society then standards are a recognition that we are behaving in a certain way, be it to protect or to preserve.
You don’t just have an MOT on the parts of the car you know are going to pass and not cost you too much money to fix if they don’t.
It’s like popping down to the charity shop and buying a stuffed Moose’s head, mounting it in the hotel lobby (for all you Fawlty Towers fans out there) and then telling all your friends about your amazing trip to the Yukon Delta.
So, thank you for taking the time to read and hopefully it will assist at least some of you next time you are engaged in a conversation with your IT service provider (past, present or future).
Related to: Data sovereignty: fear, uncertainty and doubt