What a special day, I am happy to share a guest-blog from one of my favorite assessor’s and dear friend Michelle Klinger (@Diami03 on Twitter). She has agreed to add content on Security Sociability from her perspective as a PCI-DSS QSA and information security professional.
-SecBarbie
Inside the heart of a QSA
by @Diami03
One of my true passions as an assessor is when clients actually thank me at the end of an engagement for identifying their weaknesses and then the periodic communications thereafter when they seek my security know-how as they evaluate new initiatives.
For those who do not know who I am, I am a disillusioned, frustrated, confused security professional. Oh, so we have met?! What’s making me feel hopeless, you ask? I must have forgotten to mention I’m a security professional that is also a QSA. Makes sense now, doesn’t it?
I’ve been recently feeling a crisis of info sec faith. For those of you who follow me on Twitter (@diami03), you may have noticed my ire at performing PCI assessments on the rise. To get some perspective, understand I am a security assessor by heart. I enjoy meeting clients who are truly interested in securing their environment, helping them identify security gaps, and then brainstorming about remediation solutions. I had been performing security assessments for the past 5 years using various security industry standards for guidance, my favorite being ISO27002. In those 5 years, the rates of compliance based assessments, most notably PCI, were on the rise but I was able to satisfy my information security fix with those clients who just wanted to understand their environment and to secure it.
Sadly, those days are long gone. Now I’m left with a checklist and a list of clients a mile long who are waiting in line to be branded as PCI compliant. Gone are the clients whose sole concern was for all of the information they housed. No longer am I able to assist clients understand their environment and help steer them down the path of information security righteousness. No, those days are long gone. Now I’m told to mind my business. If I make a security recommendation based on an observation, and I am unable to point to a PCI requirement mandating it, then I’ve committed an act of blasphemy.
Fine, with all that said, what’s my point? I’m not really sure I have one, other than to exorcise these feelings of impotence and publicly restate my commitment to security and not just a checklist babe. I also thought I might shed some light on the internal battle some QSAs are feeling which you might not be aware of. Although many of you have a negative view of QSA assessors, which I blame the PCI QSA process for, understand that there are a few of us silently screaming but unable to be heard. This is my silent cry!
I get it, not everyone is happy in their jobs. As was made clear in the 2009 Dark Reading article, “One in Two Security Pros Unhappy in Their Job” we are not all 100% satisfied in our current positions, and “that IT security pros feel they could be doing more.” For now I’ll continue doing PCI assessments because, quite frankly, I like the idea of being able to pay my mortgage every month. I would like to make one thing clear however, that I do not plan on just sitting back and letting the problems fester, but am attempting to raise awareness by giving talks, writing blog posts, and sharing my frustrations and suggestions for change with the industry.
May 27th, 2010 at 1:34 pm
>Sadly, those days are long gone.
So, what has changed? Are these different clients? Different types of org? Or smth else?
I find it hard to believe that the same people care LESS about security now compared to a few years ago….
May 27th, 2010 at 6:22 pm
@anton_chuvakin: i believe there are a number of things that have changed; but I think the issue isn’t the same people caring less, it’s new people suddenly having to care more. As I see it though, the new folks don’t ultimately care about “security”, just “compliance”, and often only compliance inasmuch as it affects their bottom line (eg. PCI), or them directly (eg. SOX penalties).
Add to that the belief that compliance ensures security, and things are quite dismal.
The belief that compliance and security are the same has a horrible side effect in that once compliance requirements have been meet, it is difficult to convince the business why there’s any more to do.
Unfortunately, the standards and legislation are created such that often the focus is on verifying that i’s have been dotted and t’s crossed, where perhaps entire paragraphs should be just removed.
As a result, vast amounts of time, energy, and money are spent to ensure compliance, often to the detriment of other programs or initiatives which could result in an ultimately more secure environment.
I’d go on, but this comment is likely too long as it is
May 27th, 2010 at 6:27 pm
Sadly, that’s part of maturity as an industry–you’re doomed to continue this spiral down into a commodity market. The problem with being in a commodity market is that people aren’t willing to pay for good service, they want to pay for the cheapest solution that meets the minimum standard. Unfortunately for the good people, if they don’t recognize this and change gears/markets every 5-10 years, they will be increasingly frustrated. Maybe it’s best said in a past blog post of mine: http://www.guerilla-ciso.com/archives/412
May 28th, 2010 at 5:44 am
I would venture to say the motivation is now different. The clients I had before were still driven by the trickle down effect in that their clients were requesting security assessments be performed. These assessments were either part of their client’s vendor due diligence, or the assessment was being used as a way to show potential clients their security posture. In this scenario the client is self motivated to secure not threatened to do so. When self motivated, the attitude is different.
What is fundamentally different is that one type of assessment reviewed the environment as a whole and provided an overall feedback as to their security “posture”, whereas, PCI is an all or nothing. You either have it all in place or you have nothing in place. This has clients only focused on the end result not the journey on how to get there or the intent behind it. Why? Because in the end, it does not matter as long as everything is “in place.”
May 28th, 2010 at 7:48 am
[...] It can be downright disheartening to be a QSA. If you do your job and identify holes in a merchant or service provider’s systems, they’re upset. If you try to help them adapt their current systems to meet with PCI, they think you’re letting them off the hook. If you send them a packet of documents about what to expect during the assessment and what they’ll need to gather, more often than not the client will ignore it and claim you never told them what you needed. If their due date for compliance is coming up quick, it won’t matter how long you told them the writing and quality control process would take, they want their Report on Compliance turned around overnight. And then there’s the whole ‘check list’ mentality that has many people responding to the letter of the PCI DSS, completely ignoring that with a little more effort they could have increased their security instead of just marking off a box. Yes, being a PCI can be frustrating, annoying as hell and will burn you out if you’re not careful. Just ask my friend Michelle, she’ll tell you exactly how hard it is to be a Qualified Security Assessor. [...]
May 28th, 2010 at 7:58 am
Gives me a crazy idea on structuring catalogs of controls, security management frameworks, and assessment results. I’ll blog it next week, but the title of the concept is “split-horizon assessments”.
May 28th, 2010 at 10:58 am
Great writeup, thanks! I LOVE that you’re not being defeatist. One can make a difference.
June 4th, 2010 at 8:33 am
I’m glad I’m not a QSA anymore, but happy that the author can still pay her mortgage. Keep fighting the good fight and stick to your guns(or heart!)
June 4th, 2010 at 8:46 am
I know the feeling! Have abandoned the QSA arena myself. The standard is frustrating and, as you mentioned, the clients are far too check-list focused these days … They want the bare minimum to become compliant.
Equally frustrating is the reluctance to change their business processes. They neither accept their responsibilities nor agree to outsource handling credit card data … Grr!
June 4th, 2010 at 9:19 am
“You are PCI certified! But you score in the lowest 10th percentile for effort and ‘Getting It.’ You should really just cry yourself to sleep at night.”
^^ Maybe PCI needs more than just Pass/Fail? I can only dream, probably.