Silas the Rookie, by Eric Hamiter

In my recent presentation, “The Mistakes QSAs Make,” one of the mistakes I highlighted is that QSAs will often send the F’ing New Guy (FNG) to perform your assessment.  Now before we go bagging on junior consultants, I want to be clear that (most) of these guys are both capable and qualified.  Starting this year, new QSAs have to take a closed book exam which should cause the amount of late night partying and drinking to decrease during training, and push the fail rate up (which is not necessarily a bad thing).

Let’s say that you are the FNG.  Step Zero to avoiding looking like a rookie is to admit to yourself that you are the FNG.  Once you admit it, you can prepare for the job that is coming at you bright and early on Monday morning.

Hopefully you are not the FNG going solo on your first PCI Assessment.  If you are, shame on your company for putting you in that position.  My philosophy continues to be that there should always be a minimum of two QSAs on every assessment, and that every consultant attached to the assessment should be a QSA.  But if you are not lucky enough to be in this situation, here are a few steps you can take to ensure that you don’t look like the FNG:

  1. Know the PCI DSS. This is kind of a duh, but after cramming for a test you may have forgotten much of what you learned.  Do you need to memorize word for word?  Probably not, but the best QSAs will be able to tell you that Requirement 10.2.1 is the one that says you have to log any access to cardholder data, and 11.3.2 applies to application penetration tests.  Don’t get caught frantically flipping through a paper copy of the standard in front of your customer.
  2. Practice interviewing in front of a mirror. Yep, this will feel utterly ridiculous when you do it. The goal here is to practice conducting interviews just like you would rehearse a presentation.  The best presenters are ones that are well prepared, and they practice their presentation until they get it right.  Imagine you are talking to the legal counsel for your customer and conduct a mock interview.  Do you remember questions you need to ask?  Do they naturally flow from one to the next?  Paper is nice for reference, but you look like an experienced cowboy if you can anticipate questions and have a proper question flow for the interview. If I were you, I’d invest plenty of time here and run through every possible interview scenario you can dream up1.
  3. Ask open ended questions. If your method of interviewing does not include open ended questions, you will not get what you need.  Don’t do this: “So, Requirement 10.2.2 says you should log all administrator actions.  (awkward pause) You, uh, do that, uh, right?”  That’s a leading question, and will most likely get you a “Sure” answer from the customer.  Instead ask, “What do you do in your Solaris environment to log all administrator actions?”
  4. RESEARCH! This one is harder, but the best way to show experience is by being able to relate to a customer’s situation regardless of the circumstances.  AS400?  No problem!  Linux?  DONE!  Mainframe? Child’s play!  Get some heads up before you show up on site.  Know what the customer has deployed and be sure you have done your research.  If you are walking into a customer that deployed a 4690 POS solution, you should know the issues faced with that platform before walking in the door.
  5. Finally, RELAX! If you look nervous, that will make your customer’s spidey sense tingle a little bit, and their behavior may become unpredictable.  No, they won’t start shooting webs at you, but they may decide that your nervousness is a show of weakness, and take control of the interview.  That wastes your time and ultimately hurts the customer.

The theme here is to be prepared.  Thorough preparation will make your experience much better and your confidence overall will be higher.  Customers like confident consultants (NOT cocky ones)2 and will appreciate the time you put in to tailor the experience more toward their setup.

This post originally appeared on

  1. Shut up about ending this one with a preposition.  Couldn’t think of a better way to reword it without sounding like Yoda in Attack of the Clones. []
  2. The line between confidence and cockiness is thin.  Be sure you are on the right side of that line. []