Monthly ArchivesAugust 2014

So, uh, is PCI DSS effective? standard

After the last post, I thought I’d describe some of the challenges with measuring the effectiveness of PCI DSS. Some camps argue it is absolutely effective because there has not been a compromise to date of an entity that was fully compliant with PCI DSS at the time of their breach. Others suggest extremely low compliance rates in certain groups of merchants indicate it’s not effective in helping the little guy. A few pick up headlines and just scream that it’s broken. An industry colleague of mine, Steve Levinson, is famous for a number of sayings. One he uses when faced with numbers that sometimes don’t make sense is: “There are lies, damn lies, and statistics.” While I know he ...

Continue Reading

Is PCI DSS Effective? standard

Another week, another breach. SuperValu is the latest entity to suffer a breach involving credit cards, and I saw a tweet over the weekend that inspired this post. It was along the lines of “I’d hate to be the guy who has to explain how PCI DSS is effective against breaches.” While there is some humor in the tweet, there is more than just the standard in play here. PCI DSS by itself is a good baseline for handling cardholder data. I’ve written articles, blogs, books, and given talks on the merits of PCI DSS1. PCI DSS also has flaws, compared to other compliance initiatives, that are very difficult to fix. To make matters worse, there are a number of ...

Continue Reading

Why won’t you change your password? standard

There was a very interesting post by Punam Keller last week on the HBR Blog Network on the psychology of passwords. This isn’t like the previous posts you have seen on this blog. While I tend to focus on the technical problems and ways around them, Keller explores the behavioral aspects of passwords and our general resistance to do what we all know is right. She highlights four attitudes that people have when it comes to passwords: People who don’t know they should change their passwords—most likely by intentionally ignoring information that indicates they should. People who know they should change it, but avoid doing it because they think password theft and misuse will happen to someone else. People who ...

Continue Reading

Locking your Door is a Bad Analogy for PCI DSS Compliance and InfoSec standard

Storytelling is a pastime that spans all of human existance. Famous stories like cultural parables or classics like Romeo & Juliet attempt to tackle complex or conflicting ideas and relate them to someone. We use it to pass information from place to place, to captivate audiences when delivering unexpected information (See TED talks), and to explain to a lay person why they should take some action. Pick a security standard or compliance initiative, and you will find hundreds of analogies that attempt to reduce their complexity to a tagline or short list of tasks. One in particular that is quite popular in the PCI DSS and information security space is comparing compliance with locking your front door. Of course you ...

Continue Reading

Consider the Hawthorne Effect for Big Data standard

The Hawthorne Effect is a term coined to explain inconclusive results from a set of studies performed at Western Electric Company’s Hawthorne Works on worker productivity from the 1920s and 30s. Essentially, researchers were confused with the productivity results from two specific parts of the study—changes in illumination levels and worker break time—which improved productivity only during the study. Workers knew they were being studied, thus improved productivity regardless of the changes implemented by the researchers. The Hawthorne Effect is used to describe positive results from research as influenced by the workers, not by the actual independent variables studied. Researchers today now work to reduce this effect through a number of ways, but it is still a tricky process. The ...

Continue Reading

Corporate Survival Tips for Young Professionals: The Roundup standard

Well, it’s been quite a journey over the last month or so! I hope that some of the things presented here are helpful. I’m happy if just one tip makes a change in your career! During my research for this series I found TONS of other bloggers who have posted information about some of these skills (many around politics and politically charged environments). I would encourage you to find more information on your own to further your skills. As a suggested starting place, check out this blog post by Jack Zenger and Joseph Folkman titled, The Skills Leaders Need at Every Level. If you need a quick reference to ALL of the posts in this series, use this link.

Continue Reading

Corporate Survival Tips for Young Professionals: Presenting standard

For the final post (for now) in this series, I wanted to take a moment to discuss presenting. At some point in your career you will need to present something to a group of colleagues, industry peers, or superiors. For those of you who are already suffering from nausea and dry mouth, the worst part is that you might be caught in a Catch 22—skipping or bombing that presentation could be career limiting. I’ve been presenting in some form or another fairly regularly for a little over ten years. I still get nervous. In fact, I typically don’t really get into the groove until the audience does something to reinforce what I am talking about. It could be a laugh ...

Continue Reading

Corporate Survival Tips for Young Professionals: Writing standard

This isn’t going to be a long post. I frequently give training on writing to technical folks because I have found that to be one of the easiest things to fix among technical people. Just like the accounting analogy, nonlinguistic majors must be able to articulate ideas in ways that help them advance their careers. When I taught grad school, I took a full letter grade away for spelling and grammatical errors—that’s how important this is. Check out these two posts and then spend some time using your new found Google skills to find more resources on improving your writing: On Writing: The Funnel vs. the Brain Dump Business Writing Bad

Continue Reading

July 2014 Roundup standard

This month has been a departure from the norm as we discussed some of the survival tips that young (and sometimes experienced) professionals lack—hurting their advancement and survival opportunities. Once again, you are all very interested in customer service, how you define cardholder data, and the fun economics of the Starbucks gift card (which is still growing at a great clip). Here’s what you guys liked the most last month. The Only Customer Service Script You Will Ever Need. The economy is humming along quite nicely. How do we know? Because people are getting poor customer service and reading posts like this one. Is customer service is less important now that customers are easiser to come by? Check out this ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!