Security professionals are funny.  We are incredibly strong willed and have strong opinions on subjects we live for.  It’s more than passion, it’s Passion++.  Just like regular passion, but with an object oriented framework that makes for the amplification of said passion, but only for those that truly grasp its power.

Don't Tread On Me!

For example, get a security expert that lives and breathes Linux and one that lives and breathes NetBSD in the same room, ask for the most secure, open-source platform, and watch the hilarity ensue.

Some security professionals have developed a dangerous attitude that rears its head when people discuss things like PCI DSS or other compliance topics.

“Don’t tell me how to do my job!”  This sometimes comes across like, “Don’t tell me how to do my job, I’m running my security program into the ground just fine on my own.”

Keep in mind, nearly all of the major compliance initiatives that have a security component really just deal with the basics. If you already had a mature security program in place based on standards like ISO 27o02, compliance would probably not bother you much1. In fact, in Chapter 14 of our book, I compare PCI DSS to ISO 27002 (and other regulations) and if you review the table on page 313-314, you can quickly see that PCI DSS represents a subset of ISO 27002.  If you implement all of ISO, you almost immediately comply with PCI DSS.

Don’t let a compliance initiative distract you from what we’re really trying to do—secure your data. Ensure that compliance initiatives support data security (and not the other way around).

This post originally appeared on

  1. That’s advice based on a conversation I had with an influential mentor of mine.  If you are in security, it’s a great concept by which to live. []