Cybersecurity Is About Attitude, Culture -- Not Strictly Compliance

Posted originally on Wired, InnovationInsights blog

How do you avoid becoming the Next Big Retail Breach Target? There are plenty of points — and counterpoints — on the topic. As a cybersecurity professional who has specialized in compliance with the Payment Card Industry (PCI) Data Security Standard for more than a decade, I have a great deal of thoughts to share. So consider this the first of a five-part blog in which I’ll lend my perspective about the state of systems protection in the retail industry — and how to safeguard your business.

In all that I’ve read, there’s too much emphasis on whether a breached retailer was certified as PCI compliant. Is this important? Of course, it is. But a “yes/no” reading on certification fails to address a general attitude of merchants toward the whole PCI process. I have been a Qualified Security Assessor (QSA) since the inception of the PCI standard and I can tell you that, too often, the attitude of my customers conveyed a sense of “Let’s get this over with...” or “The audit of the month is wasting my time...” or even “Just tell me what I need to do to pass.”

There are exceptions. But I’ve worked with too many companies which don’t really embrace the impact that successful PCI security standard implementation can make with regard to their overall security posture – not simply for the protection of credit card data, but for the protection of their entire enterprise. This notion is frequently lost on merchants because they spend an inordinate amount of time attempting to “limit the scope of the assessment.” This typically meant, “If you don’t have to look at a set of systems, then I don’t have to secure them...” Most of us would agree that this is the wrong approach.

I came into PCI as a veteran information security consultant with a Department of Defense (DoD) background. I also happened to be classically trained as a Cryptanalyst. My customers would get a healthy dose of security awareness in general. But I was particularly interested in educating them about how particular PCI controls have come about and what they mean – in other words, context. Frequently, at the conclusion of the assessment, customers told me, “That was the toughest assessment [audit] we’ve ever been through. But it was definitely worthwhile because we need to be more secure.” What’s wrong with PCI is not the standard itself, or the specific controls. They’re not perfect. But holistically they are the most exacting and comprehensive set of security controls I have seen outside of the DoD. In fact, I believe they stand up very well as a framework for any security program.

Unfortunately, they are rarely perceived as such. The PCI industry promotes this misguided approach to “simplifying compliance” and “reducing scope.” Yet, too many companies get wrapped around these directives and quickly lose sight of the bigger picture: security!

Case in point: I would often hear from the security/IT folks at my clients that PCI standards are only a starting point. They knew very well that PCI represented a bare minimum approach that a “real” security-focused program would go much further and require much more. However, the same organizations struggled to meet all of the requirements and successfully demonstrate compliance.

How can a standard deliver no more than the bare minimum, yet still be difficult to achieve? In large part, it’s because security is about attitude/posture/mindset/culture rather than the achievement of a predetermined, perceived “state.” Security is something you DO continuously and diligently; not something you check off a “to do” list and then sit back and relax. PCI has all the component parts to allow companies to adapt this state of due diligence. But it is too commonly presented as a point-in-time AUDIT — by just about every member of the PCI community be they QSAs, the PCI Security Council, the merchants themselves or in particular the vendors selling the “quick fix”/” buy this and you’re done” solutions. We can do much better. And you’ll find out how during this five-part blog series. In Part II, I’ll examine some of the most prevailing myths and realities of PCI and cybersecurity for retailers.