Sep 11 2010
Last month when I wrote my post “How would I write a framework to replace PCI?” I had the kernel of an idea that I just had to get out in some form. It’d been bouncing around in my head for several weeks and rather than continue to let it ricochet off the inside of my skull, I put the beginning of the project in the post and figured out the rest of it would just flow naturally from there. Except when I started writing some of my ideas down in iThoughts and having conversations with folks like Josh Corman and Andy Ellis, I realized how big a project I was really starting on and how complex the whole thing is. I also received some very insightful comments on the original post that gave me even more to think about. And one of the things I’ve realized is that this isn’t something I can do in one or two posts, it’s something I’m actually going to have to plan out and write with some forethought. Which is not my usual mode of expression at all.
One of the basic precepts I put forth for myself was to focus on the desired results rather than controls. Yet I also stated that I wanted everything to flow from policy, which seems to be directly in opposition to focusing on results. Policy is never a result, it’s a series of base controls we put in place to tell us the results we hope to work towards. So from the very start I’m contradicting myself and not living up to my own goals. The only thing I can say to that is policy, when done right, sets the expectations of the results we want the business to establish. In other words, I think of policy as a way of setting up the rules for the game of PCI and security, which is why I think they should be the very first thing a business does when they want to improve security.
I’m not much closer to having the next article in this series than I was when I wrote the first one. Every time I talk to someone about PCI and how it can be reformed, I walk away with more questions than answers and have to wonder if it’s even possible to have a framework that is usable for such a large, diverse cross section of the industry. We’ve been working on security as an institution for three to four decades now, but firewalls and anti-virus seem to be the best we can come up with. I’m under no delusion that I’m going to be able to fix or even significantly improve the situation.
I’m still thinking about how to move PCI forward, I still plan on writing more on the subject, but I need to plan it out and talk to more people about how this can be done. It may be a couple of months before I can write the next steps in this series. But I’m still thinking about it and will get back to it. And I’m hoping it’ll be worth the wait.