…or better still, keep doing what you’ve learned, all day every day.
This is the final post in my ‘Going Beyond the Standard’ series – HURRAH!! – and hopefully despite all of the spelling mistakes, grammatical errors, left-field rants, and miscellaneous off-topic diatribes that you have derived some benefit from it.
Timing is pretty good as well, seeing as the SSC came out with their Information Supplement: Best Practices for Maintaining PCI DSS Compliance, and I will say that I have to agree with the majority of its content. However, reading a book on emergency appendectomies does not make me a doctor, so when it comes to the implementation of the ‘staying compliant’ concepts, have an expert help you.
It takes someone very skilled to make things simple, do not half-arse your security.
There is nothing in PCI that you should not already be doing around all of your sensitive data, and there are no validation requirements that should fall outside of standard practices. In fact, you should be validating EVERY day, not once a year, and the only way to do that is to baseline everything and report against exceptions.
I previously used this ridiculous analogy; If every PCI requirement was a tennis ball, you could very easily carry them all from a weight perspective, but it’s impossible to hold them all together without some kind of container (Tennis ball = DSS Requirements, Container = Security Program). In other words, the requirements themselves are basic, but completely out of context from an ongoing management, business, or even good security practice perspective.
The reason PCI becomes so difficult to maintain is because security in general is too often seen as an IT project and not what it is; a business process. The only time it gets the attention it deserves is when there’s a problem, which is already too late.
When I started my own business, and when I began this blog, it was with the following premise; “Security Is Not Easy, But It Can Be Simple.” Yet every business for whom I have ever provided guidance were basically making a pig’s ear of it, and it always revolves around a lack in at least one, but usually all of the The 4 Foundations of Security.
The way I have always phrased it is; “If my boss does not care about something, guess how much I care about it?”, which is why I have made this statement several times now;
“Let’s be very clear; The CEO sets the tone for the entire company: its vision, its values, its direction, and its priorities. If the organisation fails to achieve [enter any goal here], it’s the CEOs fault, and no-one else’s.“
So if you get nothing out of this series of 25 blogs, take that away and do what you can to help them change the culture to one of accountability and responsibility across the entire organisation. It will pay dividends.
Hope you enjoyed the series, and I would welcome any guest blogs that either expand on the concepts on the subjects on which I am weakest (encryption, coding, charm, spelling etc.) or are better than mine if it’s a subject in which you are an expert.
There is no room for ego in security, everyone has to win.