How to Avoid the Buddied-Up QSA
If you are lucky enough to have one, it’s hard to avoid his impact. It could get even worse if the guy is also drunk with executive-sponsored power. When I was a buddied-up QSA, I told those managers to get a meeting together with the executive and discuss the technical and business constraints they faced. I also instructed them to make sure they do their homework. Don’t whine, and don’t focus on why you shouldn’t meet her standard. Bring everything to the table that is required to meet the executive’s directive. This should include any capital expenditures like hardware, software, and costs of people time, as well as soft costs such as lost productivity, other projects pushing completion dates out, and downtime associated with wide scale rollouts (there will be some, no matter how hard you try to avoid it). Most importantly, bring two to three alternatives with associated costs that would meet the base requirements of PCI DSS, and include some kind of roadmap to get your area to the executive’s standard. You don’t want anyone to lose face here (mostly the executive), and if you can reasonably show a way to get your area to his standard, it will eventually make you a hero (things may be tough in the short term, but think long term).
This is where a good knowledge of business tools like MS Excel will pay off. If you have not learned how to use modeling or Solver inside of Excel, do yourself a favor and invest some time learning this powerful tool. Not only will you make your life easier by allowing the software to crunch the numbers for you, but you will be presenting information back to executives in a familiar manner. Your CIO isn’t going to give a rip about the challenges of upgrading a Cisco infrastructure that was not designed for the future or why your life will be painful. It’s your job to do these things. But if you present a business argument with a logically thought out solution, you may be surprised at how you get what you need in order to do your job. My final piece of advice: executives tend to have excellent bullshit alarms. Be sure to back up every single assumption and every piece of data used in your model with raw data. Avoid relying on an analyst projection without knowing how they got to that projection. Prepare for an inquisition and you will come across as more confident and more capable of doing your job.
Possibly Related Posts:
- PCI DSS 4.0 Released plus BOOK DETAILS!
- PCI Council Loses $600K in Revenue, PO Population on the Decline
- Why PCI DSS 4.0 Needs to be a Complete Rewrite
- Orfei Steps Down
- Should you be a PCI Participating Organization?