Monthly ArchivesMay 2009

Do Data Breach Laws Push Compliance? standard

CIO Australia recently posted an article suggesting that data breach notification laws drive compliance. Bob Russo is quoted quite a bit in the article, but there is a part that is missing. It’s not Bob’s fault, he is speaking from the Council’s perspective. He hit the bullseye. But what Bob does not say is what is really driving compliance. I’ve been doing PCI/CISP compliance work since 2004, not quite two years AFTER the September 26, 2002 filing of California’s SB 1386–the first State Data Breach Law. Unfortunately, many companies did not pay too much attention to it until several years later when other states started passing similar laws, especially when Minnesota passed the Plastic Card Security Act in 2007. Being ...

Continue Reading

Seth Godin Gets Risk Management standard

On a recommendation from a friend, I picked up Tribes by Seth Godin. I’ve read many of Seth’s great books, the most popular probably being The Purple Cow, and each time I marvel at human nature’s rationalization that complex equals better. Complexity sometimes equals better, but don’t you think it’s funny how sometimes the simplest ideas are the ones that far exceed the complex ones? These are the ones that end up leaving a red mark on your forehead from your hand after you smack yourself and say “Dammit, why didn’t I think of that?!?” Man crush aside1, security professionals need to read his books. If there is anything negative to say about us security folks, it’s that we don’t ...

Continue Reading

Managed Security Services ≠ Light Switch standard

RSA 2009 has been in the can for over a week now, and I’ve had some time to reflect on the state of security since the economy broke it’s nose on the market floor. Gartner released reports saying that security spending was not cut as hard (if at all) when compared to other areas inside companies. People on the expo floor had mixed experiences as well. The four common themes I discovered were: Non-essential security spending was cut (but things you have to do like SOX and PCI are fine) Headcount was cut No change My hair is on fire Regardless of the theme, more security professionals are warming up to the idea of Managed Security Services. While most of ...

Continue Reading

The Legal Risk around PCI standard

David Navetta published a fantastic article in this month’s ISSA Journal entitled, “Who is Minding the Legal Risk around PCI” that takes a deep dive into the legal ramifications of not complying with the standard. If you do not get the journal, first off, go join the ISSA! It comes free with your membership! In the meantime, jump over to David’s blog to read the article! Towards the latter part of the article, David lays out two very real risks that I have discussed many times in this blog such as QSA shopping, rubber stamping, and scoping. Enjoy, and have a great weekend!

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!