The Art Of Compromise Without Being Comprised

Security management has always been about making choices. With so many layoffs and urgent Web projects for the imminent holiday season, how much time can your team justify spending checking log activity reports, searching to see if any cyberthief visited last night? After all, you rationalize, we can always examine both days’ logs tomorrow.
It’s about making a choice, often couched in an ROI phrasing. Security can never make any money, boost profit margins or do anything affirmatively good for senior management. It’s all risk avoidance and there’s nothing more quintessentially thankless than that. If you do your job perfectly and keep all corporate secure, someone in a board meeting will invariably ask, “Why are we spending so many millions of dollars on security? We haven’t had any kind of a breach in 20 years.”
IT executives involved in security projects today are facing some especially fascinating choices. Tokenization and so-called end-to-end encryption are good examples. Of, real end-to-end encryption—where a card is encrypted as soon as it’s created and it stays encrypted when sent to consumer and when brought to the retailer, only being unencrypted at the processor and potentially even at the card brand itself—isn’t being seriously proposed by anyone today, leaving us with a dozen proposals for variants of middle-to-middle encryption. When most vendors speak of end-to-end protection, it’s not the retailer’s (continue reading...)