Wednesday, 23 April 2008

Captain's Blog, Supplemental - PCI is dead, long live PCI!

I've been writing here over the last couple of days about RSA and InfoSec, and how the PCI messaging in particular has been much better at InfoSec, largely due to the fact that there was less of it. I was asked over lunch why I thought this was. I have to say thanks to Eleanor for asking me some of the more intelligent security questions I've heard in a while. Maybe a journalist's inquisitive nature, but it certainly got me thinking. Consider the following:
  • Last year at InfoSec, the PCI marketing was completely irresponsible and embarrassing - 'We solve PCI', 'Solving PCI in 60 days', type of thing...
  • It was like that at RSA in San Francisco this year, but NOT at InfoSec.
  • The US market is traditionally more advanced, certainly in terms of technical sales, than the UK/EMEA.
I wrote an article on this 6 months ago on this very topic for CW. We can see that technology advances very quickly in the US, and local people buy local goods. Even in bi-coastal offices there is only a 3 hour difference in timezones. Therefore, if an end user has a support issue, the vendor can be onto it immediately, or withing 3 hours maximum, SLAs can be adhered to, support cases can run in a short time period, people can communicate easily.

In the UK, 8 hours away from Silicon Valley, the customer is not as well supported. This is why the channel exists as it does in the UK, tiers of support, protecting the vendor from waking up to a slew of angry British emails - we can be vicious in writing you know.
So if the UK tried to pitch PCI last year and the US is still trying this year, what's happening? Surely the UK market hasn't overtaken the US market?
Actually, I think it's better to think of it in terms of what's NOT happening. Vendors are finally realising that offering to solve PCI isn't going to get them anywhere in the UK. No vendor will address everything in PCI. PCI is there to help, not to proscribe technology. I once had a customer snort at me in a meeting when I said that some people found PCI quite vague and difficult to get to grips with in a technical environment. He said he found it very specific, actually.

I don't just make things up to entertain people, but this guy was from management, all of the guys I'd dealt with previously were techies. PCI is a great management tool, it gives an excellent set of rules and a fairly good hint at what will happen if they are broken. The techie then has to go out and choose the products that complete the management's requirements though, so when faced with a bunch of marketing that all says the same incorrect and confusing things, the techie runs away.

Just as UK end users are reticent to spend money on unproven, unsupported products from a remote origin, they are reticent to accept that anything will solve all their problems. We have a much more cautious approach to security, much more to lose if we make a poor decision, so the product has to be tried and tested... or local.

Great, so there's only one problem left, what about the flurry of activity in the US at RSA around PCI? Quite simply, it's a different market. There are many more small products, everyone grasping for their diminishing piece of the security pie. This is where the products originate, many of them on the doorstep of the Moscone Center, 80% of these products will never see the light of the UK market. Each of these has to say it does a million things, solve PCI, make the beds, prepare breakfast and call you a cab home. That's why actually the sensible thing to do there is to shut up, stand up and let the product do the talking (I mentioned at the time, PKWare were the ONLY product I saw do this). Sadly, few actually have a good enough product or well known enough brand to do that. Maybe Microsoft could, Google could, but does anyone REALLY think these two names are security giants?

This argument is already much simplified and this post too long. I urge contributions to this debate as I'm still floundering for ideas and want to get some fresh thoughts. But PCI as a marketing tool, I'm pleased to say, is dying a death over here. Maybe now PCI as actual compliance can have some air? That's a whole other set of posts.

No comments: