For those who didn't attend PCI London on 25th January 2012, I reproduce here the article I wrote for their magazine, I hope you find it of some use... :)
THE RISE OF THE NEW
CISO: RISK MANAGEMENT VS COMPLIANCE
Last year at PCI London 2011, my article for this magazine
was about the need to move from Compliance to Risk Management and I hosted a panel
of industry experts from Visa Europe, MasterCard, the PCI SSC, IRM plc as well
as representatives from John Lewis plc and the Home Retail Group. It was
undeniable that retailers and merchants in general, have felt the need for some
while to invest where business value can be derived. The concept of risk management,
when it comes to looking at Payment Security, undeniably struck a chord!
It is also evident that merchants, especially larger ones, have been struggling with reaching compliance with the PCI DSS, either financially or structurally. This is mainly due to the complexity of their infrastructure, environment and processes. Investment for PCI DSS is clearly and increasingly the subject of scrutiny by Boards and Executive Committees. The question always is “What could happen if I don’t invest?”
Of course, everyone will be aware of the numerous high
profile compromises that happened throughout 2011, so cybercrime is very much
on everyone’s agenda. Combined with this, consumers are more and more
inquisitive when asked to disclose personal information to third parties and
are demanding that their details be protected. And what is credit card
information if not personal information? In addition, let’s not forget our
regulatory backdrop: the Information Commissioners Office with its increased
powers to fine up to £500,000 for breach of the Data Protection Act; France and
Germany adopting the EU disclosure laws for data breaches – and the ICO making
moves in that direction for the private sector; the ICO publically endorsing
the PCI DSS by compelling a retailer to sign an undertaking to comply with it;
I could list many more... As a result, a new question emerges: “what could
happen to my brand?”
So, here are my questions: is your PCI DSS initiative a
discrete one or is it part of your overall information security and governance
strategy? Are you deploying technologies or processes for the sole purpose of
PCI DSS compliance or are these technologies used as part of your overall governance
programme? Have you conducted a global risk assessment and have you got an up-to-date
asset register? Do you really know all the potential threats to your assets and
do you know how to respond? Are you PCI DSS control activities still part of a
PCI DSS Programme or have these moved to business-as-usual operational
framework? Have these been automated in any way? Have you deployed an overall
education and awareness programme for all levels of your organisation? Is your
CISO ultimately responsible for PCI DSS and do they have a seat on your Board?
If you have answered “No” to any of the above, you still
have some way to go...
Luckily, it’s not all doom and gloom: the PCI DSS is an
excellent set of security controls that can be used a part of an information
security policy (I always say, replace every occurrence of “cardholder
information” with “sensitive information” in the text of the PCI DSS, and hey
presto, you have a ready made set of data security controls! Think about it.)
Luckily, I have observed that Risk Management is now very
much on the agenda, as exemplified by the popularity of our very own
Barclaycard Risk Reduction Programme, the launch of the Visa Europe Technology
Innovation Programme (TIP) recognising the risk mitigation that Chip & PIN
gives to face-to-face card acceptance, and the recent PCI SSC Risk Assessment
Special Interest Group (SIG).
On that last point, 31 SIGs were up for voting at
the last PCI SSC European Community Meetings, and only 3 were elected by
Participating Organisations. Barclaycard proposed the Risk Assessment SIG and
we have just finalised the Terms of Reference – this group already has in
excess of 100 members and started work on 9th January. On
socio-economic terms, you will also have noticed that the job boards in the
information security field are more and more listing jobs with “Risk” in the title...
The industry is coming to understand and appreciate the long-term business
value of information protection rather than viewing it only in terms of
compliance.
It is therefore a logical conclusion that the CISO, as well
as remaining the corporate guardian of the moral fibre, is now increasingly
becoming an individual that understands the overall business strategy so that
investments in information security are driven by business reality, not by the
latest panic or technology fad.
Having said that, life is increasingly complicated: by 2015,
there will be more interconnected devices on the planet than humans (UK National Security Strategy, October
2010). Therefore, we all have to consider four very important factors: our
customers and the channels to reach them; our workforce; the technologies
available to us; and cost vs value. With that backdrop, we have to contend with
compliance in all its forms, how we fight fraud and manage our data, how we
maintain operational integrity whilst managing reputational risk. On the other
hand, our customers are three times more likely to suffer identity fraud than
having their home burgled. This makes us inherently vulnerable as the criminals
are highly motivated, highly skilled (and can analyse and correlate many data
sources – think about all the information readily available on social
networks...) and very adept at social engineering.
This brings me
neatly to a new attribute of the CISO: the educator. The new CISO needs to be
able to articulate the security needs in terms that the business can understand...
As a CISO, you may have said the following to your Board: “I need to deploy
SIEM because it will enable log correlation and we will be able to manage
intrusion prevention and facilitate cyberforensics and automation of processes.”
Did you get the investment? Know what is important to your organisation, and
something like the following might just get you what you want: “1 hour downtime
to the XX server equates to £X in lost revenue and x% increase in customer
complaints. Expected failure of the server for this quarter is estimated to be
x hours due to obsolete version of x. Investment required is y to mitigate risk
for the next 24 months.” As an evangelist, the CISO not only needs to be
understood by the Board, they need to make the whole workforce aware of their
responsibilities and the implications of not following agreed policies in
simple language. (see Hot Security Skills of 2013)
Finally, let me
bring an added dimension to the new CISO: they need to stop concentrating on
the risk of loss (and the perception has traditionally been that infosec always
hinders business) and start taking risks to meet the business objectives. As an
example, let’s talk about the consumerisation of corporate IT. What would a
traditional CISO do if an executive said to them: “I want to use my personal
iPAD to access my business email and other applications.”? The new CISO would
probably say: “Yes. Sign here that you understand and accept the associated
risks.” That might sound outrageous, but I am not suggesting abdication of
responsibilities and putting the organisation at risk, merely assessing the
risk and making everyone accountable for the consequences of the decisions that
are made, in line with the organisation’s risk appetite and within the overall
framework of corporate governance. And of course, PCI DSS should be part of
that overall corporate governance framework. To draw a parallel, ten years ago,
everyone had a Sarbanes Oxley (SOX) Programme, today no such thing exists, because
SOX is now part of overall governance for all those subject to it.
We should get there
with PCI DSS. Business as usual...
If you liked this post, see some more on risk management...
If you liked this post, see some more on risk management...
Until next time...
No comments:
Post a Comment