Sin #3 – Drunk with Power

QSAs are often in a position of perceived power.  They sometimes exhibit authoritarian behavior, often times enabled by the very people they are assessing.

QSAs are just people.

You are hiring them to evaluate your performance against a detailed set of requirements. They are not peace officers, and they are most definitely not auditors ((Although some may be CPAs.)). Smart companies will use this knowledge to their advantage and work the psychology of the situation.

Bad-Boys, by davidsonscott15

The Psychology of the Situation

The QSA is acting in a position of authority based on his role in the assessment process, passing the QSA training class, and his education and experience. Individuals inside companies being assessed rarely know or remember how the world operates outside their organization and struggle when describing how their own company handles PCI DSS. Don’t get me wrong, assessees typically know their specific view and scope of control, but they suffer from tunnel vision and often end up living in a compliance silo. Consultants on-site—the face of the company hired to determine PCI DSS compliance—can personify this role of perceived power and authority. Add to that cultural differences (both corporate and tribal) that will invariably exist between these two groups and you can see how complex the psychology of a PCI Assessment can get.

Given these inputs, some QSAs will exhibit some of the worst kind of behavior—the Bad Cop. To paint this picture more clearly, think back to your secondary education around the time you started driving. Do you remember that guy (or gal, no sexism here as I’ve seen both) that was the career authoritarian? He didn’t play sports, he was the referee. He didn’t try out for talent shows, he was the judge. He didn’t try to make a bathroom pass last all period, he was the hall monitor. He had aviator sunglasses and started growing a mustache the minute he was able. You used to look at him and think, “If that guy ever becomes a police officer in this town, I’m never coming back!” He’d be the guy that would give you a ticket for two miles-per-hour over the speed limit on a deserted street ((Don’t get me wrong, I have both family and friends that are peace officers and love their jobs. Most officers are not like this guy, but this guy tends to crave positions of authority and could end up in some kind of enforcement role.)). Career authoritarians seek out jobs that feed their ego, and a few of them are QSAs.

You might recognize that you have one of these career authoritarians when you hear him say things like, “I’m going to fail you,” or “I can’t find my way to pass you on this requirement.” Don’t be alarmed, just change the way you handle him.

Next, how to deal with a power drunk QSA!

This post originally appeared on BrandenWilliams.com.

Possibly Related Posts:


Tagged with:

0