Sin #7 – Bowing to Threats about the Future
Remember when we discussed consulting being a people business? The last sin we will cover is actually one that can be committed by either party. Maybe more accurately, committed by the QSA, but enabled by the assessee. QSAs sometimes give in to someone who says, “If you don’t mark this as compliant, I am giving my business to someone else.” I’m not talking about a contract issue or some other incidental dispute during the assessment, I’m referring to the rigor of the assessor being used as a bargaining chip.
MY WAY!
It’s My Way or the Highway
As an assessor, I’ve been threatened like this multiple times over my career. Having someone in middle management with an agenda (or even an executive) tell you that you need to “change a report because you will be responsible for losing him as a client” is never pleasant. QSAs that bow to this are making a fatal mistake that could cost their customer and employer dearly. Sloppy assessing could lead to a breach and a false sense of security by the assessee’s board. QSAs should take these threats seriously, but they should not immediately bow to the pressure unless they realize they made a mistake. If an executive is telling them that two passwords is “basically the same as two-factor authentication,” QSAs should stand their ground and calmly explain that the intent of the standard is to actually have multiple factors of authentication, not multiple instances of one factor of authentication.
How to Avoid the Threat of the Future
There is not a cut and dry method for avoiding this one as it tends to be a behavioral response the assessee’s organization. Like salivation after hearing a bell, employees panic when they think they might be responsible for their company losing money. If a QSA is not savvy enough to realize how to resolve the situation on his own, this mistake might be the one that does your company in.
QSAs in this situation need to validate their assumptions and be sure they are reading the situation according to the intent of the standard. There is plenty of material out there that QSAs can use to do this, but experience is going to be a big asset. If the QSA is wrong, he needs to adjust his position immediately. If the executive is wrong, the QSA needs to make sure his management understands this may not be the kind of customer they want to service long-term.
In some cases, corporate culture allows or even promotes this behavior. It may be OK in some areas of the business, but it is most certainly not in this one. Companies that discover an employee exhibiting this behavior should take swift action against the employee to minimize the negative effect that one bad apple can have on the company.
Possibly Related Posts:
- PCI DSS 4.0 Released plus BOOK DETAILS!
- PCI Council Loses $600K in Revenue, PO Population on the Decline
- Why PCI DSS 4.0 Needs to be a Complete Rewrite
- Orfei Steps Down
- Should you be a PCI Participating Organization?