Friday 15 February 2008

Perpetual Compliance Initiatives – have we understood the real meaning of PCI?

The information security industry reached a point of maturity during 2007, where companies scrambled to comply with the realities of various legislation, regulation and security standards that started to gain prominence in the boardrooms of UK Plc’s and beyond.

Annus mirabilis? – Security lessons reach the Nation(wide)!

First we had the fine of Nationwide by the FSA under the third principle of FSA’s principles for business which states “that a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.” The fine related to a loss of a laptop where it was found that Nationwide did not have adequate information security procedures and controls in place, and that it was not aware that the laptop contained confidential customer information. This resulted in a near £1 million which fine sent shockwaves throughout boardrooms.

So what was the result? Did we see an improvement in the information security procedures and risk management systems? Or course not, we saw the sales of laptop encryption products rise to a level that was never previously seen.

We then had the revised version of the Payment Card Industry Data Security Standard (PCI-DSS), initially released in June 2005, which superseded the initial version in January 2007. Now you might say that the PCI-DSS surely came before the FSA fine? You would be correct, but the point I am making here is that the knowledge of this contractual obligation only happened after a frenzy of understanding driven by the vendor community which is still continuing to this day, with any seminar including PCI in it’s title being well attended. The PCI-DSS has proven to be a very profitable business for the QSA (PCI Qualified Security Assessor) and ASV (Approved Scanning Vendor) alike, as businesses struggle to grapple with a security standard which is quite clear and prescriptive in it’s intentions. The visibility of the PCI-DSS is/was also assisted by the amount of press coverage given to the pilfering of credit card details from the systems of TJX in the USA, although it must also be stated that this visibility was greatly helped by the promise of fines for non-compliance.

We also finished the year with a high-profile loss of customer details from the HMRC, due to a lowly employee posting the full details of millions of child benefit claimants through the post. This, combined with other personal data losses, made front page news and gained scorn from the popular press and politicians alike as the government was judged to be incapable of providing the same level of security as the private companies within the UK provide.

So what’s the issue then?

The PCI-DSS, along with the effect that the Nationwide fine had, is indeed a welcome fillip to the industry as a whole; we have for too long been seen as techie nerds who have a propensity to speak in binary and stop business happening.

With a new-found prominence of the failures of non-technical controls within the popular press, and the opportunity to build upon the business understanding started by Sarbanes-Oxley that would surely be cultivated by, and prosper under the obligation to comply with the PCI-DSS, the role of security functions would surely be elevated in the structure of organisations. Sadly, this has been an opportunity lost to date; the culture of ‘Good enough’ security from 2006, embarking on the continual quest for compliance rather than excellence, and a failure to provide the security professional of today with the non-technical skills to converse with their business counterparts has created a stalemate.

Experience shows that the true route to compliance for the PCI-DSS comes from understanding how the business works and where security controls can be introduced to gain compliance. This is truly a unique opportunity for security functions to understand the workings of their business and the business to understand where the security function can add value and structure to their revenue streams. However, many companies look towards business analysts to provide the expertise to achieve compliance, placing a buffer layer between the two areas and yet another chance for the communication to become misunderstood.

Similarly, the Nationwide fine was a unique opportunity for security functions to highlight that it was not the lack of technical controls that resulted in the fine, but lack of understanding the risk due to it’s business processes. Similarly this opportunity was lost with a flurry of additional technical complexity being introduced without a similar improvement in the structure and quality of risk assessment and procedural architecture.

Do the above examples show business value, or are they nothing more than a tolerable cost? The current short-term approach to security cannot be sustained in it’s current form, with companies being forced to spend money on the next big thing without any evidence of improvement of the security infrastructure within their organisation.

Solving the current malaise

The lack of understanding of the skills required within the security industry to banish the tired rhetoric causing the current perception from business professionals exacerbates the above issues. We talk about security architects instead of consultants and consultants instead of engineers/technicians. We as an industry need to shake off the jeans and trainers, and adopt the business suit, attitude and language to change the perception within the boardroom.

Ask yourself a few searching questions:

· When did I last ask what our business wants to do in a month , six months and year?
· Do I understand the laws and regulations that affect my company well enough to explain them to a child?
· Could/would I explain to the person in sales why they should involve me? Does that explanation include what’s in it for them?
· Do I look to relate the technical security issues to a law and/or regulation instead?
· Can I provide security metrics that can be understood and actually show progress?
· Do I dress like my peers in the business departments?

The simple fact is that every one of the above are important, even dressing in the same manner as your peers in other areas of the business is as important to breaking down the sub-conscious psychological barriers that can affect the way that people interact. If you’re a manager, or other senior security professional, do you really need all those technical skills or do you need someone who can win the hearts and minds and become the friend of the business? Do you consider the understanding of the legal and/or regulatory issues that you and your teams have?

Other examples of where to show improvement are in metrics and strategic alignment; ask yourself some more questions:

· Do I look to find and measure the root cause of attacks within your organisation rather than just present the amount of viruses detected last month?
· Do I consider the applications and systems that require the same protection levels and group them in the same network and system builds (eg Sensitive data requires encryption, more secure systems etc)? If you answered no, or indeed feel that this is unrealistic, consider that most infrastructure gets refreshed within a five year period (Or less). The business benefits of creating these logical domains of trust can include the ability to adopt risky technologies that have a significant cost-saving through the lowering the residual risk, and the improvement of security monitoring through the control of systems. This provides a win for the business and a win for the security function.

Through designing a security architecture with tangible business benefits, and providing meaningful security metrics, early adopters of the business security mindset can elevate themselves to the same usefulness as other professions such as accountants.

This is isn’t a quick fix, but you have a responsibility to educate others and ensure that business comes to you to help them rather than them run away from you.