I finally got around to listening to the Tripwire sponsored, Martin McKeay and Gene Kim hosted PCI Hug It Out with Josh Corman and Mike Dahn. If you haven’t heard it, you should. Two very smart people (well four actually, but two we are focused on) talking about PCI and the challenges it faces as a standard. http://www.tripwire.com/blog/compliance/pci/pci-hug-it-out-the-hug/#PCI
There was a great theme that came up from Josh Corman’s section, and I hear something that I believe in strongly – moving beyond compliance, and my favorite question, how do you move beyond it. The discussion goes into how compliance is a stick (or the fines associated with it), and asks what could be the carrot?
I’ve got some ideas…
First it requires a change from the Payment Card Brands (and maybe the PCI-SSC). It requires that they think the carrot model can work, and they are willing to come along for the ride. They must be willing to give rewards when companies exercise maturity, evolution, and creativity that exceeds expectations. Maybe make the reward an additional reduction in transaction fees for the increased reduction in fraud costs. These are rewards that a company will look for – and I recall back in 2007 the Card Brands decided to extend rewards to companies who complied. Maybe it is time to revisit this strategy.
Second, it requires a different model for the standard; a model that is based on control objectives (as Josh and Gene discuss). The objectives need to show the business (not just IT or Information Security) why these objectives are important to a business. This model would need to be forged out of the PCI SSC and its various working groups so that the reasons behind their choice of controls are clear. It needs to tell companies “WHY” they need to do these things, and not just in FUD terminology. The objectives need to be put into business terms – which is far beyond what the “Navigating the PCI-DSS” does now. I would point at HIPAA as an example. One of my favorite controls is the requirement that medical records must be capable of being restored in 24 hours. I point out to my customers that this is about the timely treatment of a patient and availability of their records to a doctor who must treat them. An IT problem put into business terms. In terms of PCI, this information is lacking. I just need to reflect upon the times customers have asked me about a strategy for a “mitigating control” to recognize the value in this. In these cases my best answer came from analyzing the DSS and finding out what the objective was, and was it being achieved with the customer’s mitigating control. Not all the controls are so easy to understand or abstract and I have struggled in several cases to give an answer with a straight face (Why do we need to label every device in an organization with a contact and its purpose? I’m not etching my iPhone’s purpose on its already fragile case and antenna!) The process of abstracting the current DSS controls is not an overly difficult exercise, except that it tends to highlight the not-so-bright choices in controls, and biased choices not based on empirical facts. It also tends to highlight when certain parties have ulterior motives (such vendors pushing their solutions). If Josh, Mike, Gene or Martin would like to find good candidates to do this work, they need not look any further than the auditors and assessors who work in SOX every year. They have had to struggle through this work for at least seven years now and have gotten pretty good at building control objectives and building logic behind it. I believe Gene has also published a paper on the framework for this that is intriguing, and should get everyone’s support.
Third, I would recommend that success in compliance not just be achieved by creating controls to meet an objective but by sustaining maturity of the controls put in place to achieve that objective. Imagine if you will that the Payment Card Brands awarded lower per-transaction-fees to companies that demonstrated a higher level of maturity in their controls. Maturity meaning a process of continuous improvement – based on CMMI, OCTAVE, and any other highly relevant process of improvement that is seen as useful. Now we get at what I think the Hug-it-Out was talking about when they said “It’s like raising children.” Give them rewards when they grow up and mature the right way.
Fourth, it will require greater maturity on the part of the QSA’s. Forgive my rant on this point, but in order to effectively evaluate elements of security posture such as maturity and achieving control objectives, you need a significant amount of maturity from the assessors. This comes from twenty-two years in the industry watching my clients suffer through the opinions (or lack of opinions) from auditors and assessors for whom the ink has barely dried on their diploma. I fear the QSA market is too immature to sustain a solid model of maturity. I wish (hope?) this was different.
With these four steps, you have made it much clearer to companies the concepts you want them to comply with. You have given them incentives (carrots) to lead them along, and made the process to reach those carrots one that requires maturing, learning and growth. You have asked them to think about their business, think about the risks and goals, and start to include them in their business planning. Companies need to recognize that PCI-DSS compliance is not an IT or Information Security challenge; it is a challenge for a company’s process of Revenue Recognition, Fraud/Loss Prevention, and Company Image/Reputation. Now we are talking in terms that the C-levels will understand.
If you don’t include this, all the data and evidence about what works and what doesn’t will still be meaningless. It has to have meaning for companies who fall under PCI Compliance, and it has to align with their goals. This is why I feel, like Josh, that a risk based approach would be so much more effective.
Josh, Mike, Gene, Martin…thanks for this podcast, and please keep this movement going. I’m game for it!