Friday’s news of Marriott’s massive breach sent shock waves throughout the cybersecurity industry and consumer sectors alike. Brian Krebs described the “colossal intrusion” and numerous other security experts joined in to analyze what missteps the chain may have taken, how the breach could have been prevented, and what we as an industry can learn from the catastrophe.
While we don’t yet know what exactly occurred, I have to say I’m not surprised. Given the nature of the hospitality industry, there’s no question that Marriott was checking the boxes on compliance—for example, they obviously were PCI compliant in order to store credit card information in member profiles. I’m not suggesting that compliance isn’t important, but a lot of people think that if they are compliant they are secure—and that simply isn't the case.
I suspect that Marriott made compliance-driven investments rather than implementing a comprehensive security strategy that truly mitigated risk, and that’s why we’re analyzing their mistakes today.
I’ve seen it countless times across industries. This “compliance-first” mindset satisfies requirements and keeps the lawyers happy, but it also sets companies up for significant vulnerabilities and, quite often, devastating breaches. When companies are purchasing tools just to check the compliance box, security clearly is not the first priority. Worse, these products can actually take away from security value by adding the time and resource burdens of managing multiple tools to already strapped security teams.
My advice to all organizations that are analyzing their IT investments and strategies in light of the Marriott situation is to focus on security first, and as a result, you will become compliant.
Click here for a brief video from yours truly expanding on the above.