Home » Magazine Archives » May 2008
Security Technology Executive
Most Read
Most Emailed
E-mail Article
Print Article
Compliance Scorecard
The PCI Data Security StandardThe Latest from SIW
Mace to launch dealer program, acquire central station Basics of establishing an employee ID badging system The security week that was: 1/02/09 The top 40 security stories of 2008 Homemade bombs force evacuations in Aspen, Colo. Toronto wraps up municipal surveillance pilot project
I have had the opportunity over the past several months to talk to many CSOs and CISOs about their experiences implementing and maintaining compliance with the Payment Card Industry (PCI) Data Security Standard (DSS). The PCI DSS is a well-thought-out contractual mandate, the result of a rare collaboration among commercial industry. It has been highly successful in demanding compliance from users of card services and levying stiff penalties for non-compliance.
In spite of this real incentive to comply, some executives continue to struggle with implementing the security standard for a variety of reasons:
• Sometimes executives misunderstand the nature of compliance.
After talking to several CSOs and CISOs struggling with the DSS, I’ve noticed that many business leaders think of PCI compliance and assurance as a one-time, gap-mitigation event that only applies to technology and is conducted six weeks prior to the arrival of the PCI auditors.
To counter such misunderstandings, the CSO and CISO must combine organizational forces and create partnerships and awareness sessions with each other and then with the business. This will help them find champions who will support a more holistic approach to compliance and assurance. If business executives are only asking about PCI once a year, it is time to get out of the office and shake some trees to get the discussions going. There is no advantage in waiting, and rarely is six weeks enough time to do anything that requires the involvement of more than one organization.
• PCI DSS is seen and managed solely as an information technology project.
Nothing builds organizational and leadership distrust, back-biting and “real estate” wars more than leaving key organizational stakeholders out of the creation and implementation of strategic and tactical plans. Having worked in IT for practically all of my professional life, I understand that IT experts often feel a great deal of personal ownership over some projects, and they sometimes espouse an attitude that life begins and ends in IT. However, I also know that many business organizations and stakeholders, fed up with such attitudes, staunchly resist any new ideas, partnerships and requests originating out of IT. Over the years, we may have come to earn such snubbing. Regardless, such an environment does not promote business success.
To counter these cultural problems, many IT organizations now present IT as a service to the business. Reaching out to strategic partners, involving key individuals, and seeking to understand and to be understood — these actions help businesses reach compliance and build successful assurance programs.
