Comments on: It’s frustrating being a QSA, but sometimes it’s rewarding http://www.mckeay.net/2010/05/28/its-frustrating-being-a-qsa-but-sometimes-its-rewarding/ The views of one man on security, privacy and anything else that catches his attention. The views expressed on this blog do not reflect the views of my employer or anyone other than myself. Thu, 02 Feb 2012 21:45:54 +0000 hourly 1 http://wordpress.org/?v= By: Security: Don't Care, Shouldn't Have To Care | Business Computing World http://www.mckeay.net/2010/05/28/its-frustrating-being-a-qsa-but-sometimes-its-rewarding/comment-page-1/#comment-6278 Security: Don't Care, Shouldn't Have To Care | Business Computing World Wed, 07 Jul 2010 12:10:07 +0000 http://www.mckeay.net/2010/05/28/its-frustrating-being-a-qsa-but-sometimes-its-rewarding/#comment-6278 [...] tomorrow – so don’t start messing with his machine right now, thank-you very much. But he does care –a lot – that his system works and that he doesn’t get in [...] [...] tomorrow – so don’t start messing with his machine right now, thank-you very much. But he does care –a lot – that his system works and that he doesn’t get in [...]

]]> By: Rowan Stanfield http://www.mckeay.net/2010/05/28/its-frustrating-being-a-qsa-but-sometimes-its-rewarding/comment-page-1/#comment-6276 Rowan Stanfield Wed, 07 Jul 2010 08:39:25 +0000 http://www.mckeay.net/2010/05/28/its-frustrating-being-a-qsa-but-sometimes-its-rewarding/#comment-6276 I've been working with Trend Micro on a series of online Security workshops, the latest of which is currently running on the Register (http://www.theregister.co.uk/security/security_that_fits/). We've been reading your blog regularly as a reference for current thinking on security issues and found this post particularly useful for the latest piece 'DOES BUSINESS REALLY CARE ABOUT SECURITY?' (http://forums.theregister.co.uk/forum/1/2010/06/28/biz_care_about_security). I thought you might be interested to know that Trend's Senior Security Advisor Rik Ferguson has also linked to your post in a follow-up piece over on his Countermeasures blog: http://countermeasures.trendmicro.eu/dont-care-shouldnt-have-to-care/ We'd be really interested to hear your thoughts on the Register programme and Rik's own commentary on the subjects raised. Keep up the good work! I’ve been working with Trend Micro on a series of online Security workshops, the latest of which is currently running on the Register (http://www.theregister.co.uk/security/security_that_fits/).

We’ve been reading your blog regularly as a reference for current thinking on security issues and found this post particularly useful for the latest piece ‘DOES BUSINESS REALLY CARE ABOUT SECURITY?’ (http://forums.theregister.co.uk/forum/1/2010/06/28/biz_care_about_security).

I thought you might be interested to know that Trend’s Senior Security Advisor Rik Ferguson has also linked to your post in a follow-up piece over on his Countermeasures blog: http://countermeasures.trendmicro.eu/dont-care-shouldnt-have-to-care/

We’d be really interested to hear your thoughts on the Register programme and Rik’s own commentary on the subjects raised. Keep up the good work!

]]> By: Mike Bell http://www.mckeay.net/2010/05/28/its-frustrating-being-a-qsa-but-sometimes-its-rewarding/comment-page-1/#comment-6235 Mike Bell Mon, 28 Jun 2010 15:22:46 +0000 http://www.mckeay.net/2010/05/28/its-frustrating-being-a-qsa-but-sometimes-its-rewarding/#comment-6235 Martin, Great article. I am not a QSA, but am instead on the other side as a client. My company has recently become a level 1 merchant, and your article gave me some insight as to what the QSA's face at client sites. I know that you probably understand that a good many of the security professionals are very interested in the security of their sites, but may not always have the leverage or budget to implement security the way they feel it should be implemented, and many times may not have the people resources to maintain due diligence on a daily basis. It can be a tough balancing act! Great site. Thanks for the info. Martin,

Great article. I am not a QSA, but am instead on the other side as a client. My company has recently become a level 1 merchant, and your article gave me some insight as to what the QSA’s face at client sites.
I know that you probably understand that a good many of the security professionals are very interested in the security of their sites, but may not always have the leverage or budget to implement security the way they feel it should be implemented, and many times may not have the people resources to maintain due diligence on a daily basis. It can be a tough balancing act!

Great site. Thanks for the info.

]]> By: Donald Johnston http://www.mckeay.net/2010/05/28/its-frustrating-being-a-qsa-but-sometimes-its-rewarding/comment-page-1/#comment-6193 Donald Johnston Thu, 17 Jun 2010 22:55:47 +0000 http://www.mckeay.net/2010/05/28/its-frustrating-being-a-qsa-but-sometimes-its-rewarding/#comment-6193 The idea that clients "then ignore the whole thing for the next 8-10 months" makes the whole concept of "in-and-spin" very difficult! A bit of tongue in cheek comment, but too often I see clients like that accusing me of wanting to take a simple assessment and turn it into a money grab of services. How did they figure they would handle those items that a non-compliant? The idea that clients “then ignore the whole thing for the next 8-10 months” makes the whole concept of “in-and-spin” very difficult! A bit of tongue in cheek comment, but too often I see clients like that accusing me of wanting to take a simple assessment and turn it into a money grab of services. How did they figure they would handle those items that a non-compliant?

]]> By: Diami03 http://www.mckeay.net/2010/05/28/its-frustrating-being-a-qsa-but-sometimes-its-rewarding/comment-page-1/#comment-6130 Diami03 Fri, 28 May 2010 15:17:14 +0000 http://www.mckeay.net/2010/05/28/its-frustrating-being-a-qsa-but-sometimes-its-rewarding/#comment-6130 Very well said Martin. I'm slightly jealous as I have yet to run into a PCI client who is interested in security outside of their "PCI segment" and I've been a QSA for almost 5 years. With that said, I agree there are some security staff who are truly interested in securing their environment and at times great infosec discussions ensue, which keeps me from jumping out of their 25th floor window. However, those conversations usually end with a sigh as we both realize none of our security topics or revelations are going to be realized in the client's environment. As @securityninja stated (tweeted), "it is nice to read the views of two obviously good QSA's" and I agree. You are one of the good ones and I count myself lucky for having met another who is trying to successfully navigate in this compliance wasteland. Very well said Martin. I’m slightly jealous as I have yet to run into a PCI client who is interested in security outside of their “PCI segment” and I’ve been a QSA for almost 5 years. With that said, I agree there are some security staff who are truly interested in securing their environment and at times great infosec discussions ensue, which keeps me from jumping out of their 25th floor window. However, those conversations usually end with a sigh as we both realize none of our security topics or revelations are going to be realized in the client’s environment.

As @securityninja stated (tweeted), “it is nice to read the views of two obviously good QSA’s” and I agree. You are one of the good ones and I count myself lucky for having met another who is trying to successfully navigate in this compliance wasteland.

]]>