What a special day, I am happy to share a guest-blog from one of my favorite assessor’s and dear friend Michelle Klinger (@Diami03 on Twitter). She has agreed to add content on Security Sociability from her perspective as a PCI-DSS QSA and information security professional.

-SecBarbie

Inside the heart of a QSA

by @Diami03

One of my true passions as an assessor is when clients actually thank me at the end of an engagement for identifying their weaknesses and then the periodic communications thereafter when they seek my security know-how as they evaluate new initiatives.

For those who do not know who I am, I am a disillusioned, frustrated, confused security professional. Oh, so we have met?! What’s making me feel hopeless, you ask? I must have forgotten to mention I’m a security professional that is also a QSA. Makes sense now, doesn’t it?

I’ve been recently feeling a crisis of info sec faith. For those of you who follow me on Twitter (@diami03), you may have noticed my ire at performing PCI assessments on the rise. To get some perspective, understand I am a security assessor by heart. I enjoy meeting clients who are truly interested in securing their environment, helping them identify security gaps, and then brainstorming about remediation solutions. I had been performing security assessments for the past 5 years using various security industry standards for guidance, my favorite being ISO27002. In those 5 years, the rates of compliance based assessments, most notably PCI, were on the rise but I was able to satisfy my information security fix with those clients who just wanted to understand their environment and to secure it.

Sadly, those days are long gone. Now I’m left with a checklist and a list of clients a mile long who are waiting in line to be branded as PCI compliant. Gone are the clients whose sole concern was for all of the information they housed. No longer am I able to assist clients understand their environment and help steer them down the path of information security righteousness. No, those days are long gone. Now I’m told to mind my business. If I make a security recommendation based on an observation, and I am unable to point to a PCI requirement mandating it, then I’ve committed an act of blasphemy.

Fine, with all that said, what’s my point? I’m not really sure I have one, other than to exorcise these feelings of impotence and publicly restate my commitment to security and not just a checklist babe. I also thought I might shed some light on the internal battle some QSAs are feeling which you might not be aware of. Although many of you have a negative view of QSA assessors, which I blame the PCI QSA process for, understand that there are a few of us silently screaming but unable to be heard. This is my silent cry!

I get it, not everyone is happy in their jobs. As was made clear in the 2009 Dark Reading article, “One in Two Security Pros Unhappy in Their Job” we are not all 100% satisfied in our current positions, and “that IT security pros feel they could be doing more.” For now I’ll continue doing PCI assessments because, quite frankly, I like the idea of being able to pay my mortgage every month. I would like to make one thing clear however, that I do not plan on just sitting back and letting the problems fester, but am attempting to raise awareness by giving talks, writing blog posts, and sharing my frustrations and suggestions for change with the industry.

SecurityBSides in San Francisco on March 2nd and 3rd held at Parisoma was an experience that those in attendance will not soon forget. This is not for the reasons of Andrew Hay’s opening slide with his pink dress, but for a community of security professionals sharing and collaborating in a fresh new way from the vendor is king conference that was across town. What makes this conference so very different is the interaction at a granular level that the attendees can have with the speakers and sponsors. Not only are the actual talks much more interactive, but the sponsors who are in attendance can actually interface with the attendees and understand their needs as well as have the opportunity to convey their message in a conversation, not an expo-floor 5 minute pitch.

Some of the talks that were covered over the 2 days of the event are listed here.

Media coverage of SecurityBSides here.

Thank you to the vendors & volunteers that made this event possible!

Upcoming SecurityBSides Events:

March 13, 2010 - BSidesAustin – “Keep Security Weird” – Coinciding with SxSW Interactive

April 24-25, 2010 - BSidesBoston – weekend after SOURCE Boston.

July 29-30, 2010 - BSidesLasVegas – coinciding with Black Hat / Defcon

Here are some highlights from SecurityBSides San Francisco acquired using the ancient art of screen capture from the Flickr streams of Jack Daniel and Vissago.

One might ask why would a Techie-geek security management person like myself would go to #140 Conference in New York? There are lThe security reason of interest to myself and to my organization is related to information leakage through twitter as well as furthering social education about new technology risks. 

What is #140Conf : You can check it out in the words of Jeff Pulver on his ideas of creating the conference.

Having just spoke of the issue of adult social networking education last week, I feel that this will be a fantastic opportunity to get to the grass roots of how viral social networking can change personal brand definition and how information leakage impacts organizations. The magnitude of people getting fired, expelled from schools, and socially blacklisted due to lack of some forethought when using twitter is absolutely amazing, couple this with what information can be distributed with malicious intent and we have one powerful medium. Security Awareness needs to be outreached to better educate everyone on the impact of what they say today on the life they will live tomorrow. 

Please look forward to my photo-blog that I will be uploading daily through my trek through the #140conf jungle, as well as the recaps of key topics.

Read More

The U.S. Federal Trade Commission has fined ChoicePoint $10 million for a data breach that allowed identity thieves posing as legitimate businesses to steal social security numbers, credit reports, and other data from nearly 140,000 people. This is the largest fine ever levied by the FTC. ChoicePoint also has to set up a ‘trust fund’ for people victimized by identity thieves. From the article: ‘As part of its agreement with the FTC, ChoicePoint will also have to submit to comprehensive security audits every two years for the next 20 years.’

Read More at: http://www.suntimes.com/output/business/26choice_point.html