There are 2 types of Qualified Security Assessor (QSA): The ‘also-QSA’, who was a security consultant long before PCI, and had performed much of the work as detailed in the Security Core Concept blogs.
Then there are the ‘just-QSAs’ who managed to read a book, pass the CISA/CISM/CISSP exam, and qualify for the ever-so-difficult QSA training. They have delivered nothing but PCI ever since.
In case it’s unclear; first one good, second one bad.
Well, bad for you if you’re one of the ‘justs’, and bad for your clients if you’re all they have to rely on. You won’t learn how to do security properly, or be able to provide consulting services regardless of the data type, compliance regime, or industry sector. Your clients will never get anything other than tick-in-the-box compliance.
PCI has a shelf life, and I imagine that at the current rate of payments innovation, you have only a few years to diversify. After that there is no way you will be able to maintain your current compensation package. Without some significant experience in non-PCI security areas, your usefulness is limited.
Progress will be difficult if you work for a ‘just-QSA-Company’, because you HAVE nothing else to do. You may want to seriously consider working for a security company that’s in the ‘also’ category. There are many.
You probably have a training budget too, so spend it. ISO Lead Auditor, CIPP/X, CLAS (UK), ITIL, Prince II, while not all security specific, are most certainly relevant. Relevant to providing the kind of guidance that is in depressingly short supply. If you can use this training to your current company’s benefit, great. If you can help them design non-PCI services, you are way ahead of the game.
However, there is a better than average chance that your career preferences will fall more on one side or the other of ‘business-focused’, or ‘technical-focused’. It’s important therefore that you NOT try to embrace all 6 core concepts at once. Even security experts need to specialise.
What we are all working towards is an understanding that IT and IT security are business enablers, not a roadblock. PCI is ‘just an expense, with limited to no return on investment’, or at least thats how it is mostly seen. Our job is to put security into a business context so that the benefits are clear to every level of the organisation.
The CEO cares about the bottom line, s/he does not care about the detail until that detail gets in the WAY of business. This is why there is so little management buy-in when it comes to security and compliance. If we can show that a well run IT infrastructure enables business transformation, innovation, enhanced efficiency and so on, we’ll have demonstrated our worth.
THAT’S our job, not just protecting credit card data with a minimal set of security controls to which you had no input.
The fundamentals of security have never changed, and won’t any time soon. So if you take the time to get back to basics, you’ll future-proof your career.
Security is simple, it’s not easy, but it is simple.