Surviving IT Security’s Dark Ages
Written by Evan SchumanGuestView Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.
The economy sucks. So now is a great time to shift budget away from regulatory compliance and spend it on something that will actually make money for your company, like direct mail advertising.
No, I don’t actually believe that, but as we talk to retailers about security and compliance, I definitely get the feeling some executives are on the defensive when it comes to maintaining a focus on their areas during these "dark times."
To help them muddle through, here are a few suggestions that should tide folks over until the next "security renaissance," if you will.
The problem with compliance-driven security is that upper management tends to relax once compliance is achieved, until the rampup to the compliance due date the following year, when compliance must be proven again.
It’s a vicious cycle and one of its by-products is a heavy reliance on manual procedures. These are seen as time-killers and often viewed as demeaning by security managers. To change the annual compliance game and reduce the rush to get proper paperwork in place, we recommend choosing three to five specific controls where the manual workload is overwhelming and develop an ROI based analysis to justify the acquisition of automated tools.
This is not a time to try to sell an overall compliance management strategy, IMHO. It is a time for a very focused, quantified justification aimed at such poorly implemented controls as security log management, application code review, data access authorization, change management and, of course, key management.
For many organizations, these are some of the weakest controls and require extensive attention and manual oversight by security managers. The ROI analysis that’s required is a matter of the greater accuracy of automated tools as well as the labor cost savings. Every IT manager reading this should be able to identify several specific areas where additional security effectiveness could be achieved through automation, while saving thousands of dollars in labor costs to pay security professionals to perform tasks, which they pretty much hate.
Many organizations set their budgets for PCI compliance based on the avoidance of fines. Thousands of CFOs and other financial executives received letters from their acquiring banks in the last three years threatening monthly fines of $25,000 to $50,000 for non-compliance with the PCI standards. These letters drove much of the spending on PCI in 2006, 2007 and 2008.
These fines, however, did not drive "strategy." They did the opposite. They did not drive risk-based controls. They drove checklist controls. Now that more organizations have achieved basic checklist compliance, through compensating controls or whatever means necessary, it’s time for security professionals to focus on documenting and measuring residual risk, which remains after checklist compliance has been achieved.
We recommend reviewing your ROC or SAQ and identifying 5-10 areas where you know that ongoing risk is high and there is general "fear of the unknown" on the part of management. Wireless is a great example and so is application security. Then quantify the risks, in terms of potential loss, using security breach examples and some quotes from the PCI Knowledge Base or the press.
The goal is to get upper management to appreciate the delta between compliance and security, without making PCI compliance appear to be a waste of money. Quantification of risk is the key to making your case.
The advantage of doing 100 percent anonymous interviews is that some turn into confessionals. We have learned, for example, most of the PCI self-assessments that retailers do are pretty liberal in their interpretation of certain PCI requirements. This is not to say that companies are deliberately filing false reports.
But it is certainly fair to say that when there is a decision to make about how to interpret a specific requirement, that most executives are opting for the interpretation that will get their box checked the quickest, rather than doing the best to protect the data.
Given this situation, we recommend that security professionals can use the documented self-assessment as a tool to argue for specific controls, procedures or documentation that would be necessary to "prove" that the company really does what the self-assessment claims that the company does. In short, threat the self-assessment as a "promise" and tell upper management that you want to help make sure the company delivers on that promise.
We are currently working on two different reports based on our research and we’d like your help. For the National Retail Federation’s Big Show in January, we’re working on a "Cost-Effective Compliance" project that will feature many of retailing’s Best Practices in PCI. The other effort of the
PCI Knowledge Base is an analysis of the impact of PA DSS (Payment Applications Data Security Standard). If you are involved in either of these areas, or otherwise want to ask questions or discuss PCI, just send us an E-mail at David.Taylor@KnowPCI.com.