We’ve talked quite a bit about PCI DSS compliance here; (http://beastorbuddha.com/category/pci/). Generally, we’ve looked at what is going wrong, what can go wrong and from there, what organisations should be considering to do it better. Looking at it from a slightly different perspective here but not wholly new either – we’ve touched on and skirted around this a few times.
While PCI DSS has been a good wake up call for many organisations, there’s a negative side also which doesn’t get much attention – lost in all the talk about the benefits that PCI DSS has provided organisations who’ve previously had weak to non-existent security practices – security strategy based solely on compliance.
It doesn’t work.
It’s not a chicken and egg scenario and it does leave organisations in that so often discussed, “false sense of security” scenario.
Compliance needs to be wrapped up within an overall strategy and framework – not the other way around.
Compliance, regardless of who mandates it, has a scope. That scope doesn’t always encompass your whole organisation.
Auditors who have the QSA certification have demonstrated a certain level of competence in understanding the PCI DSS and the objectives of the card brands. That is all. Beyond that, organisations who engage QSAs, off the bat, have no idea of the greater Information Security and Risk Management knowledge of those individuals. Now here’s where the problem lies……
As I mentioned, many organisations, through PCI DSS, (as just one example – could be any regulatory set of standards), are being exposed to Information Security for the first time. This means, that what the Auditor will recommend, will become the organisation’s Information Security strategy/framework etc……compliance setting the strategy and everything that flows from that…..Scary!
Now lets ramp it up and get a bit controversial. Many QSAs are not senior Information Security experts, (based upon our experience) – or at least to a level required to develop a security strategy for an organisation. Hell, many CSOs struggle with it. We see it all the time. Get where I am coming from? (Aside: great post here at the /dev/null blog by Jarrod on the topic of consultants).
Sure, some of these organisations become compliant, and God only knows how they were certified as compliant, (from our experience coming in after some QSAs), but really, where are they at? Mileage varies as they say. They’ve made a few steps forward and then they stop! There is no subsequent next step in most of these cases for these organisations. They have their strategy in place – a strategy developed solely for compliance reasons and guided by an Auditor whose speciality may not extend beyond the scope of those regulatory standards they are auditing.
I welcome your comments.
———————————————————————————————-
Securus Global: IT Security, Penetration Testing, Security Assessments, PCI Compliance, Product Assurance, QualysGuard, Security Strategy, Vulnerability Assessment.
This is absolutely spot on. I have just come off the back of one engagement where I’m working on audit remediation. The whole thing is a shambles precisely due to this approach.
If you want a root cause analysis, I’ll give it to you. Funnily enough, I reckon these causes are systemic with every organisation I’ve seen this situation occur.
1) Senior management wanting to make themselves look good. Shit must never stick to them. Ever.
2) Same senior management treating staff badly (especially security staff). This results in staff churn. Net effect is nobody sees the thing through to the end.
3) They get inexperienced security staff hires (i.e. no real architects, certainly not at the level they require).
4) Management insist on a “tactical response” to every finding – do the bare minimum (and I mean the “bare minimum”).
I was pulled in to make it come away looking like a roaring success. This half-arsed, minimalistic approach has left it that there is no way they can pass it, no matter how they dress it up. I told the customer this. I also said I can help demonstrate improvement from past audit, but at the end of the day, there is only so many ways I can polish a turd.
There is nothing wrong using compliance to drive security strategy, _however_ that presupposes that there is a strategy in the first place!!! QSAs, consultants, etc, need to completely dispel this “tactical response” to audits. No apologies, no white washing – all managers need to be told straight up that that is the wrong attitude to take with ANY audit and it will only lead to complete, miserable failure.
[...] This post was mentioned on Twitter by Drazen Drazic, The PCI Maven. The PCI Maven said: Beast Or Buddha » Blog Archive » “Compliance” setting your whole … http://bit.ly/dpDwWY via @pcimaven [...]
Amen brother Anonymous.
All good points Drazen. PCI Compliance often drives security strategy and policy. Particularly where the organization had no strategy or policy to begin with!
While this is scary I think its much scarier what these companies do if left to their own devices. I imagine much like Anonymous above says – ‘the bare minimum’.
PCI simply moves the bare minimum from ‘nothing’ up a few notches.
And for those companies that will always do the bare minimum we will see situations like this. You can force them to follow a set of rules, but you can’t force them to care.
So of course when working from a blank slate we see people structuring their policy around PCI as you say. And QSAs certainly “Teach to the Test” which doesn’t help.
Doing this is foolish. But that’s where the ‘bare minimum’ bar is now set.
And I agree it doesn’t work. At least not for very long.
Thanks team. Declan and Brendon are the best QSAs. We were heading down this path also. No longer.
Glad to hear others seeing the same.
This is true overit.
So true.