Trustwave vs. Verizon

Trustwave just released their Global Security Report 2011. This report seemed to overlap a bit with Verizon's 2010 Data Breach Investigations Report (PDF), so to check for some consistency, I looked at common areas to see how their data compared. The first one that I looked at was the fraction of their clients that were compliant with each of the 12 requirements of the PCI DSS. Here's a graph that shows what I found (where the numbers on the horizontal axis correspond to the numbers of the PCI DSS requirements.)


Some of the data is similar, but lots of it definitely isn't. There could be lots of good reasons for this: different industries being represented, etc. But these obvious differences should also be a good reminder of something that people seem to frequently forget: never take what's in a single report on information security and assume that it's representative of all businesses or the entire industry. (In some cases, it might not even be a good idea to assume that it's accurate, but that's probably a good topic for a different post.)

Leave a Reply

Your email address will not be published. Required fields are marked *