Saturday, 14 June 2008

Compliance abuse

Vendors talk about PCI so much that the reality gets skewed, walking around RSA or InfoSec this year, you could have been forgiven for thinking that PCI was a problem that could be fixed with software. Certainly some software may be able to help with a couple of point of PCI, but there are a couple of issues I have with this vendor approach.

Firstly, presenting PCI as a problem, along with other FUD. FUD is so 90s, so Chicken Little. Security has got stuck in a rut in the 00s because we've spent so long saying the sky's going to fall in. When it didn't, no-one believed us any more, and had to try and make up their own minds. Now the people who stand out are the ones who say the opposite - who say that they can actually aid your business, help it to make money. In fact, that's always been a way to make money from software, it's just that using compliance as part of FUD has detracted from the overall value of both security and compliance.

Used properly, compliance will make your business run smoothly, without you having to recruit too many specialists. Security will help you achieve that, but here's the second problem. Whereas I have been firmly on the vendor side of the fence for many years now, I can't repeat enough that security isn't all about software. Without decent policies and education security software is near useless.

My friends over at the SPSP (Society of Payment Security Professionals) have recently developed the CPISM (Certified Payment-Card Industry Security Manager). It strikes me that this is something long overdue. Developed by Mike Dahn and Heather Mark, two of the biggest names in PCI that I can think of, and with Walt Conway on the advisory board, it's sure to be comprehensive and more importantly, relevant and useful.

I can't wait until RSA next year when all the newly qualified CPISMs start asking the questions that Walt and Mike did this year. I'm going to suggest to Mike that he makes this part of the course!

No comments: