Being a Security Professional

Being a security professional can be a curse when logically thinking your way through compliance initiatives. No compliance initiative should be a substitute for a sound information security program, but we as security professionals often get caught in the compliance trap. We’ve been beating the security drum for years, yet our musical stylings have gone unappreciated. Enter a compliance initiative and all of the sudden someone is forcing the business to do what we’ve been telling them to do all along! We tend to take advantage of this new security spending windfall and add all kinds of stuff to purchase orders in the name of compliance.

E se fossero i Social Media ad usare Voi?, by Simone Lovati

QSAs are guilty of this as well. Often times a QSA knows there is a security issue that needs correcting, and tells a merchant to do something to satisfy it in the name of PCI DSS. For example, the process of scanning a location quarterly for rogue wireless devices is a badly constructed joke whereby the punchline is met with crickets from the crowd. If you are serious about detecting rogue wireless devices, you need to have something constantly searching and cataloging, and you need personnel to walk the floors to look for things physically out of place1.

So if you approach PCI DSS from a security professional’s point of view, you might make up a requirement for Wireless Intrusion Detection Systems (WIDS) to be installed as a means to meet PCI Requirement 11.1. In fact, I was guilty of doing this for merchants using WiFi point-of-sale (POS) devices. I recommended this to one of my customers even though there is nowhere in the PCI DSS that supports this notion. It’s darn good sense, but not a requirement.

This post originally appeared on BrandenWilliams.com.

  1. Also, would the WIDS vendors please stop cheering after reading this. We get it, and we heard you. Every year since this thing got started. And at every community meeting. Go sell your product on VALUE and don’t fall into the compliance trap. []