Sin #4 – Buddying Up with an Executive

Consulting is a people business. People buy knowledge, skills, and services delivered by other people. Unlike a product business, you can’t guarantee that each unit is exactly the same, even from the same person. And also unlike a product business, the consultant interfaces on a human level with various members of the executive staff. Strange things can happen when QSAs buddy up with executives. Let’s explore a situation near and dear to me.

My Standard > PCI DSS

Executives act different after someone suspects a security breach has happened on their watch. All of the sudden, they get religious and grow a tiny, beating security heart inside their otherwise empty chest. This is, of course, a very broad and unfair generalization as more and more executives are paying attention to information security. My story comes from an experience from several years ago.

Streeter Seidell, Comedian, by Zach Klein

A company called upon my group to help them understand if they suffered a breach after they were fingered as the likely common point of purchase. This particular company didn’t ignore information security, but they never took PCI very seriously and only focused on some elements of the larger suggested baseline from ISO 17799 (current at that time). Once they were suspected to be the cause of a breach, the information security office was instantly promoted to an executive level and the buzz from the top down was all about being the most secure company in their space. I was pulled aside early in the process and given a specific directive: “PCI DSS isn’t good enough for us, and we want to exceed in the following areas.” I was instructed to not mark someone’s area compliant to PCI DSS in areas where management’s standard was more stringent. I was building a good relationship with this particular executive which was paying dividends for my own career.

I had several meetings during that year where managers would ask me to point out exactly where the standard told them to use 256-bit keys instead of 128-bit keys (one of the many enhancements against which I was instructed to validate), and I could only tell them that my instructions from the company were to highlight their name in my weekly status reports until they implemented 256-bit keys. It was a horrible position to be in, because the assessor AND security professional in me recognized that 128-bits of encryption would be just fine.

This post originally appeared on BrandenWilliams.com.