Re: Security dept. is there to serve the business
Yes, additional laws or other regulation is one option that can be used to get businesses to meet a higher level of security. But the drawbacks are it's a pretty blunt instrument (you have to find a law that can be applied to all companies) and there needs to be a check for compliance. That last point on checks on compliance is a very significant one - it looks like PCI DSS rules were not complied with in this case and it seems over a number of years. But this was not detected, so we can deduce that no-one checked properly or perhaps at all. That's a pretty damning inditement of the credit industry, and illustrates that laws and regulations are not going to help if there is no effective enforcement.
Businesses understand risk - they take risks all the time. The risk to the corporate reputation seems to have been realised in this case and there was an attempt to take action, which was too late. To me that looks like the risk became very obvious to the leadership, but at too late a stage. Making the business risks clear to management early on is the right way to go and if the business decision is to do nothing then it's a business risk the management have decided to take.
Biting the hand that feeds IT
