May 28 2010
It can be downright disheartening to be a QSA. If you do your job and identify holes in a merchant or service provider’s systems, they’re upset. If you try to help them adapt their current systems to meet with PCI, they think you’re letting them off the hook. If you send them a packet of documents about what to expect during the assessment and what they’ll need to gather, more often than not the client will ignore it and claim you never told them what you needed. If their due date for compliance is coming up quick, it won’t matter how long you told them the writing and quality control process would take, they want their Report on Compliance turned around overnight. And then there’s the whole ‘check list’ mentality that has many people responding to the letter of the PCI DSS, completely ignoring that with a little more effort they could have increased their security instead of just marking off a box. Yes, being a PCI can be frustrating, annoying as hell and will burn you out if you’re not careful. Just ask my friend Michelle, she’ll tell you exactly how hard it is to be a Qualified Security Assessor.
She’s got a number of good points; we see all too many clients who just want to have their PCI assessment and then ignore the whole thing for the next 8-10 months, until the whole process starts over again. They don’t want to think about PCI at all during that time, they don’t realize that there are a number of requirements that mandate continuing effort on a daily basis, not just when the assessor is on site. And we never, ever see clients putting lipstick on the pig just to cover up a deficiency until the assessor is gone. Oh no, never that.
But there is an upside to being a QSA. Some security departments have learned to do an awful lot with very limited budgets. Some clients understand that attaining compliance as a side effect of security is actually cheaper and easier than trying to do it the other way around. Some clients actually want an honest review of their environment that identifies potential weaknesses outside of a strict interpretation of PCI. And every so often you run into a client who’s doing something unique and unusual that doesn’t meet the letter of the law of PCI but still manages to exceed the intent of the requirements, sometimes by quite a bit.
These are the clients who keep me from pulling my hair out. I find it rejuvenating to talk to a client about the security impacts of changes to their environment honestly, rather than trying to argue an interpretation of PCI that doesn’t require them to make any changes or worse, leaves them less secure if implemented. When a client understands their own environment and knows why their data is where it is, it makes my job, and theirs, so much easier than when clients are doing their discovery while I’m on-site. And sometimes I’m actually working with a client to secure their environment, rather than fighting to get them to implement basic security controls.
I recognize that being a PCI QSA and consulting with clients on meeting the DSS requirements is a balancing act; we try to balance security against the DSS against budgetary and manpower constraints. And since we only have two hands, balancing three competing limitations is hard, very hard. If you’re in this field and you don’t feel burnt out from time to time, it means you don’t care. And that is probably a bigger vulnerability than most of the technical requirements in any compliance framework.
It’s the clients who view the security of their company as a calling that keep me coming back. It’s easy to check off a box, go home at night and ignore what’s happening to your business while you’re away. But some security professionals are intensely passionate about what they do and how well they’re protecting their enterprise. These are the people who make being an assessor worthwhile. Because even if you’re arguing with them about an interpretation or commiserating about a requirement that sounds stupid on the surface, you know these people care and at the end of the day, they don’t just walk away thinking their job is done, they worry about bettering their company’s security the next day.
Next post I’ll address Branden William’s post “Why ISA’s are qood for QSA’s” Can you say “arm chair quarterbacks”? I knew you could.