Now, I still have to formulate my [deep?] thoughts about the whole RSA 2009 conference. However, here is one post that I just have to write now… right now :-)
At RSA, I had a few people argue with our “PCI Shrugged” paper by showing examples of where PCI DSS was indeed a distracter and resources were pulled from projects that would have reduced information risk more than implementing PCI DSS controls. Typically, those arguments referred to technologies that are not mentioned in PCI DSS guidance (such as DLP), but that would be more effective in reducing their risks than PCI-mandates controls. Still, in most cases I thought that our argument about PCI DSS covering the basics first still holds water.
However, one argument did give me pause in a big way.
Imagine that the resources of your security team are being pulled to PCI DSS compliance implementation from … a response to a live ongoing security incident. You bet it cannot happen? I would bet that too, but we would both lose… The management considered lack of PCI DSS validation to be a bigger risk to their bottom line than an actual ongoing intrusion. This just blows up my mind :-)
In fact, I had nothing to say to whoever brought this argument at the time. I stammered and then remembered that Requirement 12.5.3 mandates that an organization must “Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.” However, when uttering this I knew what their answer would be. “Yup! A plan it does mandate… us acting on this incident here – not so much” was the quoted response from their management.
However, now that I had time to ponder this (and to fully recover from shock), I have this to say:
- PCI DSS does not cure stupid! It was not supposed to, in can’t, and it won’t!
- PCI guidance lacks the magic power to imbue its reader with a shot of common sense.
- PCI does not add “+5” to Intelligence or Wisdom scores (for those who like game metaphors).
In other words, one CAN be stupid with or without PCI DSS; you can ignore security even in the face of PCI DSS. One RSA speaker suggested that PCI is like a baseball bat; you can use it to play – or you can have you faced “batted” in by somebody really, really stupid…
Possibly related posts: