Ideas After RMISC 2009 PCI Panel
Today I participated in a very interesting pci panel at ISSA Denver RMISC 2009 conference in Denver. Practically,even our pre-panel discussion was very interesting:we intended to hit such subjects as checklist mentality vs risk mentality, prescriptive compliance versus outcome-based compliance, PCI for various sizes of organizations and even PCI compliance in virtualized environments.
At start,it was peace to notice that majority the audience agreed that PCI was helpful for their organizations in cases where they wanted to jumpstart their security program, but were not sure how. Most people also agreed that PCI helped them get executive attention and much-needed budget to implement the security controls they knew they needed to have. No surprises here.
However, at some point in the discussion I started to realize that the desire of some organizations to do “compliance first” and to treat PCI as a “blind” checklist as well as their desire to just focus on achieving compliance and not at all on security was due to the fact that the pressure on them “to be secure” was much weaker compared to the pressure “to be PCI compliant.”
In original works,those organizations who deal with a journey to “we just need to get the auditor/assessor off our backs” fear their auditors more than they fear the hackers (uhu, Russian, Chinese and Romanian combined ); at least, their decision-makers seem to. Those same decision makes also likely think that it is much simpler to measure when they are PCI compliant (=when the QSA leaves with a ‘PCI OK’ report) compared to when they are “secure enough” (=when nothing bad happens for a long time DURING WHICH they are not asleep at the wheel…); thus, in their minds, compliance seems like a “cheap substitute” for security.
When this discussion started, many of the audience members pointed out that PCI compliance projects were initiated by the finance departments or even directly by the CFO. At the same time, most of the security projects at their organizations were initiated by the IT departments (or their IT security sub-departments). It goes without saying that CFO has much more of a CEOs ear, compared to some unnamed security manager down in the trenches.