Lockstep

[Skip Navigation]
  • Home
  • About Us
  • News
  • Services
  • Partners
  • Library
  • Contact Us
  • Stepwise makes the Anthill SMART 100 (again)
  • Keynote speech on Human Services delivery
  • "Public yet still private" and other new privacy articles
  • Asian SESAMES award finals
  • Daring to question Open Identity
  • Privacy opinion piece
  • IHI senate submission
  • PCI conference presentation
  • 5th Annual Smartcards Summit
  • Cybercrime hearings appearance
  • Lockstep at Tech23 Innovation Island
  • eResearch Australasia 2009
  • "In defence of silos"
  • Cybercrime inquiry
  • One of Australia's most innovative products
  • "Give PCI the bullet"
  • New blogs calling for clarity
  • OBR "Security 140" Breakfast
  • On the Digital Economy
  • Lockstep a "certified innovator"
  • New Inventors pod cast
  • New Lockstep publications
  • Lockstep judged a Top Five Security Firm in Asia
  • ID Summit
  • Tech reflections on privacy
  • Stepwise on ABC TV The New Inventors - 19 Nov
  • e-Voting presentation at AusCERT 2008
  • Privacy & Security presentation
  • Plurality of Identities
  • "Public Key Superstructure"
  • Stepwise pitch: Safety in Numbers
  • New e-voting paper
  • Lockstep a Cool Company!
  • Interview: Privacy & Technology
  • Smartcards Summit keynote presentation
  • Australian Smartcard Summit
  • New and revised Babysteps
  • National innovation award
  • Senate Committee appearance
  • "Safety in Numbers"
  • New senior consultant - health sector
  • Lockstep presenting at AusCERT 2007
  • IT competition shortlist
  • Radio National Interview
  • "Public Key Superstructure"
  • Access Card Submission
  • Lockstep speaking at Safeguarding Australia
  • Embedded PKI in China
  • Authentication shakeout
  • Lockstep at Security Summit
  • Smartcards and Medicare
  • Interoperability & PKI myths
  • Asia Pac Risk Mgt, Singapore
  • OASIS PKI Survey
  • New "Babysteps" paper
  • New series: "Babysteps"
  • Smartcard Id Mgt Seminar
  • New paper published in China
  • Interview: "The eyes have it"
  • Relationship Certs in China
  • The 3rd OASIS International PKI Survey
  • World's smallest reader
  • Two new PKI whitepapers
  • IIA Two Factor Authentication Pilot
  • New ROI paper
  • Authentication workshop
  • Lockstep developed new PKI Resources Page
  • Other news

PCI conference presentation

7 Dec 09: Stephen gave a provocative speech at a PCI conference last week.

Stephen's talk was entitled "An ounce of prevention is worth more than a pound of audit" and gave a critical assessment of the limitations of audit based approaches to fighting fraud. He also gave an overview of newer preventative measures including end-to-end encryption and tokenization.

Extract

Audits find problems. Yet an absence of findings is not the same as an absence of problems.

An audit of course is just a snapshot. What we really need to know is whether the organisation’s processes are stable and true between the visits.

Poorly run audits are like the blind leading the blind. All too frequently, audits are purely mechanical, where both the auditor and the company representative are juniors, unfamiliar with the history of the organisation, and each with a “job to do”. Does the organisation really want its problems exposed? Does the auditor really want to find problems? Or are they in fact driven to find arbitrary problems? An auditor who finds nothing wrong can appear to have not done their job!

In the PCI debate, we should have a strong sense of déjà vu. The same methodological limitations and the same false sense of security have been seen before with ISO 9001 quality audits, financial audits, and ISO 17799 IT security certification.

© 2010 Lockstep Consulting ABN 59 593 754 482
11 Minnesota Avenue Five Dock NSW 2046
Mobile: +61 (0) 414 488 851 Email Us
Terms and Conditions