Bob Carr was recently quoted in a Computerworld article saying that QSAs let [Heartland] down.  Of course, he is not referring to his most RECENT QSA, but I’m sure that was an editorial change to make the story more interesting.

The article is a fantastic read, but also slightly humorous in nature. I’m going to leave Heartland’s situation out of this post, and look at how other companies that have dealt with breaches. If you want to see what others are saying, check Rich Mogul, Mike Rothman, and Andy Willingham.

epsilon, by chadmiller

epsilon, by chadmiller

Nearly every company I have worked with suddenly “Gets Religion” after a breach.  Prior to it, security is not top of mind, therefore things like PCI become burdensome as opposed to easy.

Security always becomes much more important after you’ve been bitten.  It’s a massive pendulum that swings WAY out on the over-reacting/knee-jerk edge, where before it was way out on the other edge of complacency and letting the risk ride.  By the way, the blame for this lies securely on our shoulders—security professionals.  We do not do a good enough job working with the business to help them understand real risks and costs of doing business, thus preventing something like this from happening.

Don’t believe me?  Here are some phrases I have NEVER HEARD come from one of my customers or prospects:

  • Hey Brando, this price is OK, but can you double it and really dig beyond what is required by PCI DSS?
  • I know this area over here is TECHNICALLY not in scope, but can you include it anyway so we can ensure we have good security controls there too?
  • I need you to do a statistically valid sample with a higher error rate so I can do more validation on our IT processes.

Now let me tell you some phrases I hear OFTEN from my customers or prospects:

  • You don’t need to look at any of these systems, they don’t store CC data (which is technically a misconception because PCI applies to areas that also transmit or process data), so don’t go into that room.
  • Are you sure you have to perform that test?  I only want the bare minimum.
  • You have to pass me!  My anniversary date is in two weeks and I cannot patch this two-month old vulnerability by then!
  • Come on, two passwords is practically two-factor!
  • Look at the real risk here!  There’s only 100K cards in plain text on this machine at any given time, that’s not a big deal, right?

Can you guess which group of questions might be asked by someone who has recently1 suffered a breach?

So here’s the thing. Some QSAs WILL let you down.  You get what you pay for, and some QSAs may not do a good job.  The Q/A process from the Council is working to address this. But you are letting yourself down if you allow something like this to happen.  If you realize that the assessment is not thorough, you should either work with the QSA to fix it or terminate the contract and find one that does have your best interests in mind.

This post originally appeared on BrandenWilliams.com.

  1. This is an important distinction.  Companies that suffered breaches in the past sometimes become complacent and forget what they learned until the next one happens. []