I love my children, I really do. Especially when they remind me of some of the life lessons I learned long ago but have forgotten from my conscious mind. And even more importantly when those life lessons are the same lessons that can be applied to the job I do on a daily basis. Let me tell you a short story and how that relates to security in general and PCI specifically.
As we all know, Halloween was only a few days ago and many of us have large bowls filled with candy sitting around the house. My house is no different and like many other parents, we’ve tried limiting the intake of candy by our kids to dessert and perhaps one or two pieces of candy throughout the day. Today was no exception, so when my children asked if they could have dessert, I told them they could have one piece of candy each. My eldest son thought this was fine, but my youngest son spent a fair amount of time rooting around his bowl and when I finally told him it was time to make a decision, the look he gave me told me something was up. I had him open his hand and show me what was in it; not surprisingly, he’d tried to hide a second piece of hard candy in his hand, hoping I wouldn’t catch it and he’d get two pieces of candy. Big no-no.
I was in a fairly understanding mood, so I simply took the second took the second piece of candy away and told him he could have the first piece of candy he’d picked. He gave me the puppy dog eyes, which I ignored and told him that he’d made his choice and had to live with it. Rather than eat that piece of candy, he said it wasn’t what he wanted threw it back in the bowl and walked away. A few minutes went by, we told the boys to go brush their teeth and go to bed. Cue the histrionics!
The screams went along the lines of “I’m not going to bed without dessert!” and “I’ll do anything for dessert! Absolutely anything!” Which was met with “You had your chance, you made your choice, now it’s too late.” He screamed, he cried, he screamed some more. But Daddy can be an immovable object when his mind is set, and a tired eight year old is going to bed whether he wills it or not, so Daddy won the argument. We’ll see if he’s learned his lesson for tomorrow night’s desert.
How does this relate to security? Often, at least from our point of view, management is much like a spoiled eight year old who wants what they want, when they want it and the consequences be damned! As an assessor, I hear companies tell me about a date they have to be compliant by and they’ll do absolutely anything to meet with that date. But when you start telling them what’s going to be required to be complaint, you start hearing all the excuses as to why particular pieces are impossible, can’t we just assess on what they will be doing in the future or ignore that part of the requirements since they’ll be doing it “really soon”. I have about as much sympathy for them as I do for my son; I’m not the one who’s missing dessert, so he can either do what he’s supposed to or miss out on his sweets.
The cry of “I’ll do anything!” only lasts until it’s time to actually do something all to often. I use compliance as an example, but this is just a big a problem in the rest of security. Management sees another company in their market get compromised and says they’ll do anything to avoid the same fate. Of course, ‘anything’ only lasts until they see the actual manpower and budgetary numbers that would be required to secure the company from the same fate that befell the the competitor. And they get extra sensitive when told that the numbers you gave them will only protect them from the vulnerability du jour and additional resources will be required to become what you’d consider reasonably secure.
PCI is much the same way. Business think they can get away with half-way measures that almost, sort of meet with the PCI requirements, but when a QSA comes in and says, “Let me see what’s in your other hand.”, the crying begins. “I’ll do anything to be compliant!” Well, start by writing policies that meet the minimum standards. “Anything but that!” Configure your firewalls so they aren’t swiss cheese allowing almost anything any “Well, anything but those two things!” Implement a log manager. “Anything but …” You get the picture; the definition of anything quickly narrows from the dictionary definition of ‘anything’ to ‘the absolute minimum I can get away with’. It’s human nature to try to get as much as possible with as little effort as possible, whether your a mega-corporation or a eight year old.
PCI isn’t difficult, it’s a pretty minimum baseline for securing your company. Risk vs compliance arguments aside, most of the things in PCI are measures the vast majority of businesses should be doing to establish a secure infrastructure that’s capable of keeping the bad guys out or detecting when they do get in. The people who are screaming because it’s too hard are the same people who probably wouldn’t be giving the security and IT teams the resources needed to secure the enterprise in the first place. And much like an eight year old they’d rather scream and cry after the fact than plan ahead, follow the rules and do the right thing in the first place.
You can’t send a corporation to bed without dessert and you can’t leave them unprotected. Just like parenting, you have to do your best and hope that it’s the right thing. Businesses are going to be much better served by trying to look ahead at what needs to done and how to do it effectively and efficiently rather than waiting until the last minute. It’s a mark of maturity that many businesses may never show. And again, just like a parent, it’s our job as security professionals to try to teach the businesses we work for how to plan ahead rather than screaming “I’ll do anything” when it’s already too late.
I think it’s time for me to go raid the candy bowl. Unless my wife says it’s already too late.