I apologize for not posting anything recently, but I have been busy dealing with my taxes, QSA re-certification and clients. Over the years that has involved dealing with people that I would like to think know better. But based on my interactions with them, it is painfully obvious that they do not. As a result, I have decided to write this letter to all of you in hopes that you get a clue as to how your short sidedness is going to ultimately sell your organization “down the river”. I should have published this letter a long time ago as this is not a new issue.
As I sat in the meeting, I watched your body language as I delivered our report on how well your organization is secured. Based on my observations, it is painfully obvious that you do not have a clue as to the importance of security as well as you really do not care. Since I want my bill paid, I was polite and did not take you to task as you should be taken.
So, let me put this into blunt language that you might better understand.
First and foremost, as an executive of the organization, you have a fiduciary responsibility to protect the assets of the organization. Based on our findings, you are not protecting those assets, you are not even close. I realize that all of this technology baffles you, but it is that technology where your organization’s life blood of intellectual property resides in orders, formulas, blueprints, specifications, customer lists and other key or sensitive information. Without that intellectual property, your organization does not exist. Yet as we went through all of our findings, you argued time and again about what it will take in time, money and/or manpower to appropriately secure your organization. While I appreciate your concerns, this is what it takes to secure an organization that relies heavily on technology.
Second, security is not perfect. I am not exactly sure where you got the impression that security is perfect, but that is wrong and you need to adjust your thinking. Security is all about managing and minimizing risks. As an executive, that is one of your primary job functions. Yet your three/five/seven/ten year old risk assessment seems to point to the fact that risks and managing those risks are not a priority. As if that was not enough, we pointed out a number of areas where risk exists but there is no evidence that the management of those risks was being done. The recommendations we provided you offered a number of viable solutions, however they will all require changes to the organization, which seemed to be your biggest reason as to why our recommendations could not be implemented.
Third, doing the bare minimum is not going to secure your organization. While we were talking about the PCI DSS, any security framework is merely the ante into the security game. If you truly want to be secure it will take significant time and a certain amount of money to make that happen. Buying security appliances and other “widgets” can only do so much. One of the biggest findings in our report is that your existing tools in use are not being used properly and warnings and alerts are being written off as “false positives” without any investigation. With the level of sophistication of attacks rising exponentially, based on our assessment. those tools are doing very little to protect your organization. Another area of great concern is that your employees are, for the most part, unable to recognize current scams and threats. As you correctly pointed out, security awareness training is not going to stop every attack, but what you missed is that such training should significantly reduce such attacks’ effectiveness.
Fourth, you need to read the definition of “compliance”. As defined in Merriam-Webster’s dictionary, compliance means, “conformity in fulfilling official requirements”. As our findings pointed out, you are not in compliance with a number of key “official requirements” defined by the PCI DSS. Without adequate “official requirements” such as policies, standards and procedures, how do your employees know their responsibilities and what you are holding them accountable? Based on our discussion of findings, you apparently are of the opinion that your employees should just intuitively know their responsibilities and accountabilities. “Intuitively obvious” may apply to the operation of an Apple iPod as stated by Steve Jobs at its introduction, but that phrase does not apply the running of an organization.
Finally, a compliance program is not all about checking a box. I know most auditors/assessors seems to operate that way and most executives want it to work that way, but a proper compliance program should never, ever work that way. Compliance means looking at all of the organization’s protective, detective and corrective controls (the control triad) and determining if they are: (1) functioning properly, (2) designed properly, (3) minimizing the risks and (4) in need of any new controls or changes/enhancements to existing controls to make them function more accurately or efficiently. While you agreed with our findings regarding the control issues we identified, your argumentative behavior about them seems to indicate otherwise.
I wish you and your organization the best of luck because it seems that your idea of risk management is to rely on luck. I would like to tell you that you will succeed with that approach, however the statistics say otherwise.
Your Frustrated Assessor