I have had the opportunity over the past several months to talk to many CSOs and CISOs about their experiences implementing and maintaining compliance with the Payment Card Industry (PCI) Data Security Standard (DSS). The PCI DSS is a well-thought-out contractual mandate, the result of a rare collaboration among commercial industry. It has been highly successful in demanding compliance from users of card services and levying stiff penalties for non-compliance.
In spite of this real incentive to comply, some executives continue to struggle with implementing the security standard for a variety of reasons:
• Sometimes executives misunderstand the nature of compliance.
After talking to several CSOs and CISOs struggling with the DSS, I’ve noticed that many business leaders think of PCI compliance and assurance as a one-time, gap-mitigation event that only applies to technology and is conducted six weeks prior to the arrival of the PCI auditors.
To counter such misunderstandings, the CSO and CISO must combine organizational forces and create partnerships and awareness sessions with each other and then with the business. This will help them find champions who will support a more holistic approach to compliance and assurance. If business executives are only asking about PCI once a year, it is time to get out of the office and shake some trees to get the discussions going. There is no advantage in waiting, and rarely is six weeks enough time to do anything that requires the involvement of more than one organization.
• PCI DSS is seen and managed solely as an information technology project.
Nothing builds organizational and leadership distrust, back-biting and “real estate” wars more than leaving key organizational stakeholders out of the creation and implementation of strategic and tactical plans. Having worked in IT for practically all of my professional life, I understand that IT experts often feel a great deal of personal ownership over some projects, and they sometimes espouse an attitude that life begins and ends in IT. However, I also know that many business organizations and stakeholders, fed up with such attitudes, staunchly resist any new ideas, partnerships and requests originating out of IT. Over the years, we may have come to earn such snubbing. Regardless, such an environment does not promote business success.
To counter these cultural problems, many IT organizations now present IT as a service to the business. Reaching out to strategic partners, involving key individuals, and seeking to understand and to be understood — these actions help businesses reach compliance and build successful assurance programs.
• Business units disagree on the right approach to achieving compliance.
The PCI DSS communicates people, process and technology requirements for compliance. But it doesn’t communicate exactly how it should be implemented or what product must be used. In the IT world, product selection often becomes a point of debate and contention. IT people sometimes act as if a certain vendor’s hardware appliance or software product is an extension of their personal identity. If you run into Karnac the IT Magnificent, get your benchmarking supporting material ready, because if you decide on a product other than his personal favorite, this individual will debate and test your patience until you decide you a) have wasted too much time on this decision and give in, or b) would rather be selling ceramic horses at flea markets.
If your boss or board of directors continues to ask questions about your implementation of PCI DSS after you have already presented your approach to compliance, it may mean you have not established enough credibility to satisfy other voiced concerns. Take time to shop your strategy and tactical plans. Be sure to involve not only the people who agree with your opinion, but those who may not as well.
You are one of many on the same journey to compliance. Take advantage of all of the available resources to assist you in making the right decisions. But above all, understand what the business expectations are for compliance and continue to stay in touch with these expectations, because they often will change two or three times before you have succeeded in implementing the “right” compliance and assurance program.
Kenneth L. Davis is chief information security officer for Sun Health and a faculty member for the Security Executive Council, an international professional membership organization for leading senior security executives spanning all industries. Throughout his 20-year career, Mr. Davis has managed and implemented information security and disaster recovery programs for multiple Fortune 500, financial, high technology, healthcare and insurance companies. For information about the Security Executive Council, visit www.securityexecutivecouncil.com/?sourceCode=std.
