No, this is not one of those posts poo-pooing PCI because it is the popular thing to do. But after my marathon writing sessions working on the book, I started to think about all the customers that I had visited over the years, and all the problems I have seen, and how even today the problems that come up are essentially caused by common root issues.

BTW, I’m hoping you guys all LOVE the case studies. Some of you readers might even be business owners or playing a part in them!  That was, by far, my favorite part of writing the book.  Maybe I’ll try some bad fiction writing next? (FAIL)

Anyway, one of the things that the information security rants about is how PCI should never be viewed as your total security program.  PCI by itself is not good security.  Many retailers, through no fault of their own, “know enough to be dangerous” with data mining and information management.  They have digitized data about their customers, products, financials, marketing plans, inventory, and employees to help make them more efficient.  Retailers have an amazing amount of data available right at their fingertips, and it helps them have (only) the right products in front of the right customers at the right time, increasing their ability to turn inventory.

With this much data flying around, not only do you need a way to manage it, but you need a way to secure it.  Retailers traditionally ignored information security until PCI forced their hand.  And I mean REALLY forced their hand.  As in fines being assessed.  Had Visa not fined merchants, PCI DSS compliance rates would have increased over the last two years, but not nearly as rapidly.

l'argent vu de près, by 1suisse

l'argent vu de près, by 1suisse

Why do you think that is?  Is it because retailers never really viewed their data as super secret?  Maybe they concentrated only on the Availability and Integrity of their data?

Regardless, now companies are having to deal with PCI, so they begrudgingly comply. Bare minimum.  No additional expenses.  Hire people to deal with PCI only, not really interested in security.  Well, let me rephrase that.  If you speak to the executives, they will tell you they are concerned about security, but their actions (and the actions of some employees) clearly state differently.

Companies that intensely focus on ANY compliance initiative are doing themselves harm in the long run.  Compliance comes and goes, but you will always need to address security.  In fact, you might argue that compliance initiatives like PCI or HITRUST all stem from data breaches caused by poor security.  Complying with the bare minimum requirements from one initiative only leaves you vulnerable to new compliance initiatives that may cover related security issues outside the original scope.

PCI  was meant to be a component of the overall security infrastructure, not THE ACTUAL security framework.  In a mature security program, you would have controls defined and mapped back to compliance initiatives.  This way you can save yourself a TON of time and energy by managing to your specific control set, not to each individual compliance initiative.  Imagine the metrics you could pull from that!

PCI will damage your company if it becomes your security framework.  Remember, it changes every two years.  Theoretically, most of the changes are minor and in response to community feedback and compromise trends, but do you really want to be scraping the bottom of the barrel and doing a major overhaul every time PCI changes? Imagine spending tens (or hundreds) of thousands on a compensating control that barely passes PCI DSS, and then having to undo and redo the work the next year because of a change in PCI?  It happens all the time.

How do you solve this problem?  First, you have to find an executive in your company with the testicular fortitude to stand up for Information Security.  Not only must this person be charismatic and full of gusto, he (or SHE of course) must understand why security is important, and be able to relate to other executives in a manner which they will understand as well.  Security is a BUSINESS issue, and the business has to be on-board or you will have lost the race before the gates ever open.

Next you need to get back to basics and start with a wide-reaching enterprise security assessment.  As far as frameworks go, I’m partial to ISO 27002, but choose one (or a hybrid) that makes sense for your business and environment.  Figure out how you match up.  Are you close?  Do you just need to define lots of stuff?  Or is it going to be a long, hard ride?

Finally, create your plan and work on getting there!  It will require time, resources, probably some new hardware and/or software.  Be sure to review industry BEST practice, and figure out how you can smartly better your posture without creating situations where users work around your new controls and you don’t adversely impact the business.  The business may need to change some of what it does, but you don’t want to shut it down while in process.  Focus on doing things RIGHT first, then look at where that puts your completion estimates.  Depending on your level of maturity and size, a 2-3 year implementation plan may not be unreasonable.  Going much beyond 5 years signifies some major barriers to completing the project, and a 1 year deadline either means you had most of it right, are a small and nimble company, or you grossly underestimated your timelines.

Remember folks, spend for security, not compliance.  And definitely don’t implement a compliance target as your main security framework. That’s how PCI can ruin you.

This post originally appeared on BrandenWilliams.com.