PCI Compliance Becomes Scorecard for CSOs

Companies recertifying for the second or third year of PCI compliance are having a rough go of things as of late. A combination of the latest clarifications within the revised PCI DSS standard, along with the recent scoring matrix that compels assessors to ensure they have done a thorough job as part of the review, have caught an unfortunate number of CISOs flat footed. Anyone who thinks they are about to go through a “check box exercise” could find themselves with small to large remediation efforts that are forcing many to miss their renewal dates. These challenges are being exacerbated by the fact that assessors are getting better at their job, and security budgets are getting hit like everything else. These dynamics are generating some painful realities for those chartered to maintain compliance to this very thorough and rigorous standard. Unfortunately for most CISOs, the subtleties of why they are missing compliance dates and risk potential fines and/or change of compliance status for service providers, is lost on executive leadership. Based upon some things we’ve observed over the years, leadership changes aren’t necessarily a bad thing, but it doesn’t serve anyone’s interest to throw the baby out with the bathwater.

What is a CEO to do?
Meanwhile, CEOs are struggling to drive the business forward in a historically difficult operating environment, and often view the Infosec team as being an impediment rather than an enabler to the business. An ill tempered CEO who thinks his CISO isn’t getting the job done does not bode well for our industry as playing a game of musical chairs merely slows down security initiatives, thus defeating what were certainly good intentions. What makes this decision more difficult is that the CEO has little tangible insight as to whether organizational risk is trending up or down. Graph charts depicting a downtrend of critical findings from Nessus scans surely don’t tell a CEO much about how much risk has been mitigated. Fact is, based upon our observations there are very few CISOs who even know what they are protecting outside of PCI related assets.

Getting beyond the PCI scorecard
Within the current operating landscape, it’s incumbent upon CISOs (or equivalent in responsibility), to position within the organization that compliance is a shared problem between all parts of the business including IT operations, Security Operations, Human Resources, Legal, and Executive Leadership. It should further be made clear what exactly each part of the business is responsible for implementing, and hold all accountable. Finally, bringing effective communications supported by meaningful metrics to the subject are critical to help communicate throughout the leadership chain that residual risk is being appropriately managed and mitigated.

As for your next PCI assessment, unless you’ve consulted with your QSA to discuss changes made within the standard, it is wise to set expectations with varying levels of leadership that there will likely be findings that weren’t issues within previous years and to anticipate resource requirements accordingly.