I have been working on issues that relate to security certification at a number of our clients, and I can’t say that I have anything good to say about it. I have a very simple reason behind my dislike. Compliance standards are set such that you are protecting against the bulk of the people out there. This is generally very good practice, but when you rely on standardization alone, you open yourself to real danger.

This is not to say that “best practices” aren’t good policy. Sure, I totally agree with picking the “low–hanging fruit” and preventing the bulk of the attackers from casually accessing your data. I have a lock on the front door of my house. I know that it doesn’t prevent a criminal from getting into my house, but it might stop the 15 year old punk who has nothing better to do after cutting algebra class. I don’t have anything that valuable in my house, but if I had something worth $100 million in my living room, you can be sure I would have a big dog and a guy in a ninja suit there ready to stop someone from getting it.

(more…)