May 28 2010

It’s frustrating being a QSA, but sometimes it’s rewarding

Published by at 6:48 am under PCI

It can be downright disheartening to be a QSA.  If you do your job and identify holes in a merchant or service provider’s systems, they’re upset.  If you try to help them adapt their current systems to meet with PCI, they think you’re letting them off the hook.  If you send them a packet of documents about what to expect during the assessment and what they’ll need to gather, more often than not the client will ignore it and claim you never told them what you needed.  If their due date for compliance is coming up quick, it won’t matter how long you told them the writing and quality control process would take, they want their Report on Compliance turned around overnight.  And then there’s the whole ‘check list’ mentality that has many people responding to the letter of the PCI DSS, completely ignoring that with a little more effort they could have increased their security instead of just marking off a box.  Yes, being a PCI can be frustrating, annoying as hell and will burn you out if you’re not careful.  Just ask my friend Michelle, she’ll tell you exactly how hard it is to be a Qualified Security Assessor.

She’s got a number of good points; we see all too many clients who just want to have their PCI assessment and then ignore the whole thing for the next 8-10 months, until the whole process starts over again.  They don’t want to think about PCI at all during that time, they don’t realize that there are a number of requirements that mandate continuing effort on a daily basis, not just when the assessor is on site.  And we never, ever see clients putting lipstick on the pig just to cover up a deficiency until the assessor is gone.  Oh no, never that.

But there is an upside to being a QSA.  Some security departments have learned to do an awful lot with very limited budgets.  Some clients understand that attaining compliance as a side effect of security is actually cheaper and easier than trying to do it the other way around.  Some clients actually want an honest review of their environment that identifies potential weaknesses outside of a strict interpretation of PCI.  And every so often you run into a client who’s doing something unique and unusual that doesn’t meet the letter of the law of PCI but still manages to exceed the intent of the requirements, sometimes by quite a bit.

These are the clients who keep me from pulling my hair out.  I find it rejuvenating to talk to a client about the security impacts of changes to their environment honestly, rather than trying to argue an interpretation of PCI that doesn’t require them to make any changes or worse, leaves them less secure if implemented.  When a client understands their own environment and knows why their data is where it is, it makes my job, and theirs, so much easier than when clients are doing their discovery while I’m on-site.  And sometimes I’m actually working with a client to secure their environment, rather than fighting to get them to implement basic security controls.

I recognize that being a PCI QSA and consulting with clients on meeting the DSS requirements is a balancing act; we try to balance security against the DSS against budgetary and manpower constraints.  And since we only have two hands, balancing three competing limitations is hard, very hard.  If you’re in this field and you don’t feel burnt out from time to time, it means you don’t care.  And that is probably a bigger vulnerability than most of the technical requirements in any compliance framework.

It’s the clients who view the security of their company as a calling that keep me coming back.  It’s easy to check off a box, go home at night and ignore what’s happening to your business while you’re away.  But some security professionals are intensely passionate about what they do and how well they’re protecting their enterprise.  These are the people who make being an assessor worthwhile.  Because even if you’re arguing with them about an interpretation or commiserating about a requirement that sounds stupid on the surface, you know these people care and at the end of the day, they don’t just walk away thinking their job is done, they worry about bettering their company’s security the next day.

Next post I’ll address Branden William’s post “Why ISA’s are qood for QSA’s”  Can you say “arm chair quarterbacks”?  I knew you could.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

5 responses so far

5 Responses to “It’s frustrating being a QSA, but sometimes it’s rewarding”

  1. Diami03on 28 May 2010 at 7:17 am

    Very well said Martin. I’m slightly jealous as I have yet to run into a PCI client who is interested in security outside of their “PCI segment” and I’ve been a QSA for almost 5 years. With that said, I agree there are some security staff who are truly interested in securing their environment and at times great infosec discussions ensue, which keeps me from jumping out of their 25th floor window. However, those conversations usually end with a sigh as we both realize none of our security topics or revelations are going to be realized in the client’s environment.

    As @securityninja stated (tweeted), “it is nice to read the views of two obviously good QSA’s” and I agree. You are one of the good ones and I count myself lucky for having met another who is trying to successfully navigate in this compliance wasteland.

  2. Donald Johnstonon 17 Jun 2010 at 2:55 pm

    The idea that clients “then ignore the whole thing for the next 8-10 months” makes the whole concept of “in-and-spin” very difficult! A bit of tongue in cheek comment, but too often I see clients like that accusing me of wanting to take a simple assessment and turn it into a money grab of services. How did they figure they would handle those items that a non-compliant?

  3. Mike Bellon 28 Jun 2010 at 7:22 am


    Great article. I am not a QSA, but am instead on the other side as a client. My company has recently become a level 1 merchant, and your article gave me some insight as to what the QSA’s face at client sites.
    I know that you probably understand that a good many of the security professionals are very interested in the security of their sites, but may not always have the leverage or budget to implement security the way they feel it should be implemented, and many times may not have the people resources to maintain due diligence on a daily basis. It can be a tough balancing act!

    Great site. Thanks for the info.

  4. Rowan Stanfieldon 07 Jul 2010 at 12:39 am

    I’ve been working with Trend Micro on a series of online Security workshops, the latest of which is currently running on the Register (

    We’ve been reading your blog regularly as a reference for current thinking on security issues and found this post particularly useful for the latest piece ‘DOES BUSINESS REALLY CARE ABOUT SECURITY?’ (

    I thought you might be interested to know that Trend’s Senior Security Advisor Rik Ferguson has also linked to your post in a follow-up piece over on his Countermeasures blog:

    We’d be really interested to hear your thoughts on the Register programme and Rik’s own commentary on the subjects raised. Keep up the good work!

  5. […] tomorrow – so don’t start messing with his machine right now, thank-you very much. But he does care –a lot – that his system works and that he doesn’t get in […]

%d bloggers like this: