Sep 21 2009
Branden Williams wrote a post last week, “Why you should love the PCI hater!” It contains some very good advice about why you should talk to the people who dismiss PCI, the people who actively attack PCI and the people who think PCI is a waste of time and resources. Whether your talking about PCI, some other security framework or security in general, engaging in conversation is almost always a good thing and something you will learn from.
If you follow me in Twitter, you know I love to engage in PCI conversations with the haters from time to time. The same goes with talking about it on the Network Security podcast, trying to convince Rich that PCI has it’s uses and is not the useless pain in the … backside he originally thought it was. I enjoy helping clear up some of the misconceptions that people often have around PCI and showing them that PCI can be a benefit to almost any security program if it’s leveraged in the right way. And I hope that sharing these conversations in public forums helps more than just the people I’m talking to, that it brings up many of the same questions and concerns that other people have about PCI.
But the most important part of these conversations is what I learn from them. I’ve never claimed that PCI is perfect or that it covers every contingency or weakness in an enterprises networks and I know very few professionals who’d say that it does. Engaging in conversations with ‘PCI Haters’ has helped me understand how to talk to not only other security professionals but also the clients I deal with on regular basis. It’s helped me to understand that I need to make it clear to everyone from the system administrator to the senior VP that PCI is only a starting point for securing the enterprise, not the be all and end all of security. There’s nothing like getting in a public argument to teach you how to conduct the same conversation in private.
I’ll never convince the true zealot that PCI is a good thing and that’s perfectly okay with me. But I can understand why someone hates PCI and use that to understand and overcome it’s weakness myself. Understanding the zealot will help me talk to the person who’s unsure or has misconceptions and maybe help turn the next PCI Hater from a zealot into someone who’s looking at it with a critical eye instead.