Stop Confusing PCI Compliance With Actual Security

To this day, people are surprised when an organisation is breached after having achieved PCI compliance.


The SSC has never claimed that PCI compliance ensured the protection of cardholder data, especially when you consider most organisations don’t DO PCI compliance for security, they do it to get their acquiring banks off their backs. All the SSC have ever claimed is that it helps, and it does.

Security is not about being impenetrable, that’s impossible, it’s about knowing your two main enemies; thieves and ignorance.

Thieves are lazy. In fact, I’d go as far as to say that laziness, more than a desire to be bad, is the leading driver behind computer crime. This drives them to steal first what is most easily available; the so called low hanging fruit. So to avoid thieves, just have YOUR fruit higher up the tree. That’s what PCI compliance does, and that’s all.

Continue reading

Security Core Concept 2: Security Control Choice & Implementation

I’ve only been blogging a month, and I have already repeated the following statement a dozen times in a variety of ways. It’s not that I’ve run out of things to say, or even ways to say it – if you know me, you know that’s not possible – it’s just that it’s THAT important;

Don’t buy ANYTHING until you’ve performed a Risk Assessment, and you know exactly WHY you’re buying it.

The only exception to that rule is buying a risk assessment obviously.

In Core Concept 1: Risk Assessment / Business Impact Analysis, and Insecurity Through Technology, I have tried to stress that technology, for technology’s sake, can actually reduce your ability to perform both security monitoring, and incident response. Security needs to be simple to be effective and sustainable.

Your risk assessment will detail exactly what your security posture should be in terms of mitigation / transfer / acceptance of risk, and operational resilience. The next step therefore is to see just how close you are to achieving those goals with your current controls. This will include policies, standards and procedures, data flow and storage (business processes), applications, infrastructure and so on. This is not just an IT gap analysis, this is a security and business continuity gap analysis.

Like the risk assessment, I’m not going to bore you with a list of the things that may need attention, it’s up to you to ensure you are conducting the gap analysis with the right resources to paint the most accurate picture possible. If you can do this with just internal resources, great, but consider bringing in external consulting help to ensure both objectivity, and deeper coverage of the security relevant skills and experience.

OK, let’s assume you now have your gap analysis, which includes a list of recommendations. These will most likely be far broader and/or deeper than you will ever have the ability or budget to fix completely. That’s OK, there’s no such thing as 100% secure, and you should not be striving for perfection. The idea is to now match the cost of mitigating controls with the risk assessment conclusions to ensure that you are not only addressing the highest priority risks, but you are also doing so at an appropriate cost.

Cost is not just capital expense (i.e. technology), it’s resources (existing, or additional), down-time, and so on. Whatever is required to meet the goals of the business are prioritised and an implementation plan created and given to the Governance committee. It is their responsibility to ensure that not only are the current business goals (and possibly the future as well) met by the proposal, but that the estimated cost of doing so does not exceed the value of the data.

So now you know what you need to do, the order in which they are to be achieved (hopefully in parallel), and who is going to run the project (or projects).

Now you have to decide HOW you are going to achieve the goals, and I HIGHLY recommend it’s done in this order;

  1. Adjust your non-technical business processes to remove both the requirement for, and the instances of, sensitive data. If you have no data, you have nothing to steal;
  2. Consider outsourcing the non-core function elements of your business to known-good vendors (e.g. if you’re e-commerce, outsource the payments piece to a 3rd party shopping cart);
  3. Review your infrastructure in detail, I can almost guarantee there are some efficiencies, or adjustments that can be made without the need for more technology;
  4. Buy more technology, but there are some VERY important consideration with this, and the choices you have should be driven by your business needs, and not by the brightest, shiniest toys.

The first three are too specific to drill down into, but for new technology to even be considered the following must be kept in mind;

  1. Are you going to manage it yourselves, or outsource? – If the former, you will need to ensure you actually have the skill-set to do so. Too often the device ends up sitting on the IT managers desk because s/he was pretty much lost after the sales engineers left. Or worse, they plug it in and leave it there un-patched, which is the primary basis for insecurity through technology;
  2. How are you going to monitor the device? – Does it have its own management station, or can it be integrated with an existing one, SIEM for example? If it has it’s own management station, how many will that make now for your organisation? 5? 10? More? The more GUIs you have, the less you will have the time to monitor and you will quite literally lose sight of what’s really important. Integration is key;
  3. Who will maintain the devices operationally? – Any security device is only as good as its tuning and optimisation, and this process is cyclical, and never ending, regardless of whether or not your business changes. The thieves never stop, nor can your baselining efforts;
  4. Will the technology you’re purchasing scale with the possible growth of your business? – Regardless of your short term goals, you will need to keep the businesses future plans in mind. There is nothing the business hates more than wasted investments.

I know I’m simplifying this drastically, but as I keep saying, security IS simple, it’s just difficult to achieve. Especially if you don’t get started.

Clearly there is a lot more involved in the due diligence necessary to make the right security control choices, but the above framework will fit the majority of businesses. All you have to do is fit it to YOUR business.

[If you liked this article, please share! Want more like it, subscribe!]