The spending constraints in the current fiscal environment, organizational impatience with initiatives that cannot demonstrate their return on investment, and the increasing integration of security into normal business practices will pressure us to communicate with each other and with our corporate masters in a consistent, comprehensible fashion. As we consider girding ourselves for that long march, I am wondering whether the Payment Card Industry Data Security Standard (PCI-DSS) could be the start of a more global language, and if so, should it be?
For those not familiar with it, PCI-DSS is organized into 12 security areas, covering controls for networks, application development, logging, testing, and policy, among others. The document is comprehensive, covering more than 200 requirements for compliance, and the controls described are more prescriptive than what you would find in Sarbanes-Oxley language, though well short of a full-blown NIST or OWASP standard on a particular control. After spending the last year directing a global PCI remediation and compliance program, I am still undecided whether the categorization and (relative) clarity of the DSS is an early step in measuring risk across organizations or within industries or a come hither invitation down the path to an evolutionary dead end.
Before we embrace or dismiss PCI-DSS, it has piqued the interest of non-security corporate leadership, at least within my admittedly limited purview, as a way for non-practitioners to understand security risk and to benchmark themselves against their peers. Many of our organizations do not “make” security as a product or service so money not spent on risk mitigation can be redirected to revenue generating activities. The people who control our purse strings are unlikely, unless it is a competitive differentiator, to want to outspend their peers on security. That is a constraint we will have to manage skillfully in the coming years to ensure we are successful at and satisfied with our security.
Popularity: 1%
