For those who didn't attend PCI London on 25th January 2012, I reproduce here the article I wrote for their magazine, I hope you find it of some use... :)
THE RISE OF THE NEW CISO: RISK MANAGEMENT VS COMPLIANCE
Last year at PCI London 2011, my article for this magazine was about the need to move from Compliance to Risk Management and I hosted a panel of industry experts from Visa Europe, MasterCard, the PCI SSC, IRM plc as well as representatives from John Lewis plc and the Home Retail Group. It was undeniable that retailers and merchants in general, have felt the need for some while to invest where business value can be derived. The concept of risk management, when it comes to looking at Payment Security, undeniably struck a chord!
It is also evident that merchants, especially larger ones, have been struggling with reaching compliance with the PCI DSS, either financially or structurally. This is mainly due to the complexity of their infrastructure, environment and processes. Investment for PCI DSS is clearly and increasingly the subject of scrutiny by Boards and Executive Committees. The question always is “What could happen if I don’t invest?”
Of course, everyone will be aware of the numerous high profile compromises that happened throughout 2011, so cybercrime is very much on everyone’s agenda. Combined with this, consumers are more and more inquisitive when asked to disclose personal information to third parties and are demanding that their details be protected. And what is credit card information if not personal information? In addition, let’s not forget our regulatory backdrop: the Information Commissioners Office with its increased powers to fine up to £500,000 for breach of the Data Protection Act; France and Germany adopting the EU disclosure laws for data breaches – and the ICO making moves in that direction for the private sector; the ICO publically endorsing the PCI DSS by compelling a retailer to sign an undertaking to comply with it; I could list many more... As a result, a new question emerges: “what could happen to my brand?”
So, here are my questions: is your PCI DSS initiative a discrete one or is it part of your overall information security and governance strategy? Are you deploying technologies or processes for the sole purpose of PCI DSS compliance or are these technologies used as part of your overall governance programme? Have you conducted a global risk assessment and have you got an up-to-date asset register? Do you really know all the potential threats to your assets and do you know how to respond? Are you PCI DSS control activities still part of a PCI DSS Programme or have these moved to business-as-usual operational framework? Have these been automated in any way? Have you deployed an overall education and awareness programme for all levels of your organisation? Is your CISO ultimately responsible for PCI DSS and do they have a seat on your Board?
If you have answered “No” to any of the above, you still have some way to go...
Luckily, it’s not all doom and gloom: the PCI DSS is an excellent set of security controls that can be used a part of an information security policy (I always say, replace every occurrence of “cardholder information” with “sensitive information” in the text of the PCI DSS, and hey presto, you have a ready made set of data security controls! Think about it.)
Luckily, I have observed that Risk Management is now very much on the agenda, as exemplified by the popularity of our very own Barclaycard Risk Reduction Programme, the launch of the Visa Europe Technology Innovation Programme (TIP) recognising the risk mitigation that Chip & PIN gives to face-to-face card acceptance, and the recent PCI SSC Risk Assessment Special Interest Group (SIG).
On that last point, 31 SIGs were up for voting at the last PCI SSC European Community Meetings, and only 3 were elected by Participating Organisations. Barclaycard proposed the Risk Assessment SIG and we have just finalised the Terms of Reference – this group already has in excess of 100 members and started work on 9th January. On socio-economic terms, you will also have noticed that the job boards in the information security field are more and more listing jobs with “Risk” in the title... The industry is coming to understand and appreciate the long-term business value of information protection rather than viewing it only in terms of compliance.
It is therefore a logical conclusion that the CISO, as well as remaining the corporate guardian of the moral fibre, is now increasingly becoming an individual that understands the overall business strategy so that investments in information security are driven by business reality, not by the latest panic or technology fad.
Having said that, life is increasingly complicated: by 2015, there will be more interconnected devices on the planet than humans (UK National Security Strategy, October 2010). Therefore, we all have to consider four very important factors: our customers and the channels to reach them; our workforce; the technologies available to us; and cost vs value. With that backdrop, we have to contend with compliance in all its forms, how we fight fraud and manage our data, how we maintain operational integrity whilst managing reputational risk. On the other hand, our customers are three times more likely to suffer identity fraud than having their home burgled. This makes us inherently vulnerable as the criminals are highly motivated, highly skilled (and can analyse and correlate many data sources – think about all the information readily available on social networks...) and very adept at social engineering.
This brings me neatly to a new attribute of the CISO: the educator. The new CISO needs to be able to articulate the security needs in terms that the business can understand... As a CISO, you may have said the following to your Board: “I need to deploy SIEM because it will enable log correlation and we will be able to manage intrusion prevention and facilitate cyberforensics and automation of processes.” Did you get the investment? Know what is important to your organisation, and something like the following might just get you what you want: “1 hour downtime to the XX server equates to £X in lost revenue and x% increase in customer complaints. Expected failure of the server for this quarter is estimated to be x hours due to obsolete version of x. Investment required is y to mitigate risk for the next 24 months.” As an evangelist, the CISO not only needs to be understood by the Board, they need to make the whole workforce aware of their responsibilities and the implications of not following agreed policies in simple language. (see Hot Security Skills of 2013)
Finally, let me bring an added dimension to the new CISO: they need to stop concentrating on the risk of loss (and the perception has traditionally been that infosec always hinders business) and start taking risks to meet the business objectives. As an example, let’s talk about the consumerisation of corporate IT. What would a traditional CISO do if an executive said to them: “I want to use my personal iPAD to access my business email and other applications.”? The new CISO would probably say: “Yes. Sign here that you understand and accept the associated risks.” That might sound outrageous, but I am not suggesting abdication of responsibilities and putting the organisation at risk, merely assessing the risk and making everyone accountable for the consequences of the decisions that are made, in line with the organisation’s risk appetite and within the overall framework of corporate governance. And of course, PCI DSS should be part of that overall corporate governance framework. To draw a parallel, ten years ago, everyone had a Sarbanes Oxley (SOX) Programme, today no such thing exists, because SOX is now part of overall governance for all those subject to it.
We should get there with PCI DSS. Business as usual...
If you liked this post, see some more on risk management...
If you liked this post, see some more on risk management...
Until next time...