A couple of weeks ago I was a speaker at a seminar hosted by the ISSA Colorado Springs chapter. The idea was to talk to some federal guidance coming down the pipe, the 2013 National Defense Authorization Act if you haven’t heard. The rest of the talk was some basic steps to start a Software Assurance process.
In the beginning of the talk I had a timeline of some breaches and also important legislation. I mad e a comment about 2008 being an important year because of the Heartland breach. I mentioned the amount of records breached and, in passing, said that they had just passed a PCI inspection.
Boom. A hand shoots up and it’s a guy from the PCI Council. As he informed me, there are only 26 people on the Council responsible for forming the PCI-DSS. First of all, I should have left the seminar and bought a lottery ticket. He goes into a long comment about his frustration with speakers pinging PCI when it is just a security baseline. He was clearly upset with my comment, but it opened a good opportunity for my presentation.
I agreed with him that PCI does not equal security, but that’s the problem with legislation and standards. Once an organization achieves compliance, they feel like they’ve done enough. To the bean counters in Finance, it can be difficult to justify more spending that what is “necessary”. We as security people wage that battle every day, and it will continue.
At the time of the Heartland breach, there was zero in PCI-DSS focused on applications. Later revisions would change that, but only a little. The major point of presentation was that the latest NDAA has provisions requiring the Department of Defense to start securing their applications. That’s one small step for mankind, but one huge step for the DoD.
After getting off the stage, I was talking with a colleague about the PCI comment. He mentioned that is the exact reason he doesn’t use absolutes when speaking in front of groups. I can see the logic in that viewpoint, but if you use passive voice all the time your not authoritative. If you can’t say something authoritatively, you probably shouldn’t be on stage talking about it. Even though there was some tension for a second, it made people pay attention because it was interesting.
I had to catch a flight after the talk, so I didn’t get a chance to talk with the PCI guy. I would have liked to thank him for his comment and for helping me make my point. I probably could have explained my comment more to show I wasn’t attacking PCI-DSS directly…I was showing our reliance on compliance is completely dependent on the level of security provided by the standard.