“Better to remain silent and be thought a fool than to speak out and remove all doubt.” Abraham Lincoln
What is your organization interested in? Security or checking a box?
Not surprisingly, most people answer “security” and then go on to prove with their actions and words that they are only interested in checking a box.
For all of you out there that argue ad nausea about the meaning of PCI DSS testing requirements and the requisite documentation are interested in one thing and one thing only; checking a box. I am not talking about the few that have honest differences of opinion on a few of the requirements and how a QSA is interpreting them and assessing them. I am talking about those of you that fight constantly with your QSA or acquiring bank on the process as a whole.
If you were to step back and listen to your arguments, you would hear someone that is splitting hairs in a vain attempt to avoid having to do something that would improve your organization’s security posture. In essence, you want to only be judged PCI compliant, not actually be secure.
To add insult to injury, these are also typically the people that argue the most vehemently over the fact that the PCI DSS is worthless because it does not make an organization secure. Wow! Want to have your cake and eat it too! Sorry, but you cannot have it both ways.
Everyone, including the Council, has been very clear that the PCI DSS is a bare minimum for security, not the “be all to end all” for securing an organization. Organizations must go beyond the PCI DSS to actually be secure. This where these people and their organizations get stumped because they cannot think beyond the standard. Without a detailed road map, they are totally and utterly lost. And heaven forbid they should pay a consultant for help.
But I am encountering a more insidious side to all of this. As you listen to the arguments, a lot of you arguing about PCI compliance appear to have no interest in breaking a sweat and doing the actual work that is required. More and more I find only partially implemented security tools, only partially implemented monitoring and only partially implemented controls. And when you dig into it as we must do with the PCI assessment process, it becomes painfully obvious that when it got hard is when the progress stopped.
“It’s supposed to be hard. If it wasn’t hard, everyone would do it.” Jimmy Duggan – A League Of Their Own
Security guru Bruce Schneier was speaking at a local ISSA meeting recently and when asked about why security is not being addressed better he stated that one of the big reasons is that it is hard and complex at times to secure our technology. And he is right, security is hard. It is hard because of our poor planning, lack of inclusion, pick the reason and I am sure there is some truth to it. But he went on to say that it is not going to get any easier any time soon. Yes, we will get better tools, but the nature of what we have built and implemented will still make security hard. We need to admit it will be hard and not sugar coat that fact to management.
Management also needs to clearly understand as well that security is not perfect. The analogy I like to use is banks. I point out to people the security around banks. They have one or more vaults with time locks. They have video cameras. They have dye packs in teller drawers. Yet, banks still get robbed. But, the banks only stock their teller drawers with a minimal amount of money so the robber can only get a few thousand dollars in one robbery. Therefore to be successful, a robber has to rob many banks to make a living which increases the likelihood they will get caught. We need to do the same thing with information security and recognize that breaches will still occur, but because we have controls in place that minimizes the amount or type of information they can obtain.
“There’s a sucker born every minute.” David Hannum
Finally, there is the neglected human element. It is most often neglected because security people are not people, people. A lot of people went into information security so that they did not have to interact a lot with people – they wanted to play with the cool tools. Read the Verizon, Trustwave, etc. breach analysis reports and time and again, the root cause of a breach comes down to human error, not a flaw in one of our cool tools. Yet what do we do about human error? Little to nothing. The reason being that supposedly security awareness training does not work. Security awareness training does not work because we try to achieve success only doing it once per year not continuously.
To prove a point, I often ask people how long it took them to get their spouse, partner or friend to change a bad habit of say putting the toilet seat down or not using a particular word or phrase. Never in my life have I ever gotten a response of “immediately”, “days” or “months”, it has always been measured in “years”. And you always get comments about the arguments over the constant harping about changing the habit. So why would any rational person think that a single annual security awareness event is going to be successful in changing any human habits? It is the continuous discussion of security awareness that results in changes in people’s habits.
Not that you have to harp or drone on the topic, but you must keep it in the forefront of people’s mind. The discussion must be relevant and explain why a particular issue is occurring, what the threat is trying to accomplish and then what the individual needs to do to avoid becoming a victim. If your organization operates retail outlets, explaining a banking scam to your clerks is pointless. However, explaining that there is now a flood of fraudulent coupons being generated and how to recognize phony coupons is a skill that all retail clerks need to know.
- Why are fraudulent coupons flooding the marketplace? Because people need to reduce expenses and they are using creative ways to accomplish that including fraudulent ways.
- What do the fraudulent coupons do to our company? People using fraudulent coupons are stealing from our company. When we submit fraudulent coupons to our suppliers for reimbursement, they reject them and we are forced to absorb that as a loss.
- What can you do to minimize our losses? Here are the ways to identify a fraudulent coupon. [Describe the characteristics of a fraudulent coupon] When in doubt, call the store manager for assistance.
Every organization I know has more than enough issues that make writing these sorts of messages easy to come up with a topic at least once a week. Information security personnel need to work with their organization’s Loss Prevention personnel to identify those issues and then write them up so that all employees can act to prevent becoming victims.
Those of you closet box checkers need to give it up. You are doing your organizations a huge disservice because you are not advancing information security; you are advancing a check in a box.