On 3/23/09 3:15 PM, "Jon Kibler" <[email protected]> wrote: > I am frequently asked why I refuse to do PCI audits. I always have the > same answer: "I don't participate in security theater."
To a point, it seems all certification processes can be defeated by creative responses or other activity one could loosely call "cheating". Its true of things like PCI, various industry-specific questionnaires that feed things like "The Top 10 Schools for ________" lists, and even personal certifications. Alone, PCI can't do a lot; one needs a competent and interested security professional. Likewise, said professional can't do a lot without a business mandate (which PCI provides). PCI is not a magic bullet, but it isn't useless theatre either (provided its routed to the IT department instead of the marketing department). -porkchop _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
