The evening of July 20 was a both joyous and bittersweet.  Why?  It was joyous because I spent the evening with so many Tripwire colleagues that I’ve loved working with, who were all congratulating me and wishing me well.  It was bittersweet because this was my farewell party at Tripwire: thirteen years after I founded Tripwire, I was leaving the company to start the next chapter in my life.

I had announced to the company on July 1 about my plans.  I’ll be posting this letter tomorrow.

I am very proud of my contributions to the company. Looking back, I’ve achieved almost everything I set out to achieve at Tripwire.  Eighteen years ago, I wrote the original version of Tripwire in 1992 with Dr. Gene Spafford. Now, it is a company that has thousands of customers, booked over $80MM in 2009, and continues to be used as part of information security, compliance and IT operations programs worldwide.  And as widely reported, the company completed its S-1 filing in May.

I am very grateful to Jim Johnson, the Tripwire CEO, for making something that was so difficult (for me) so easy.  He is a genuinely great guy with unquestionable integrity. The company future has never been this bright, and I am deeply grateful to everyone who has helped make that happen, including our customers and investors.

For me, the time was right to take some time off to spend with my family and resume work in area of passion: to complete the study and enable the replication of what makes high performing IT organizations tick.

As many of you know, since 2000, I’ve been studying a group of IT organizations that simultaneously achieve the best IT service levels, the best posture of compliance, the best integration of information security into the software development lifecycle, and also have the highest release rates and project due date performance.

How these organizations made their “good to great” transformation is what my colleagues and I captured in the Visible Ops and Visible Ops Security Handbooks, why we created a non-profit research organization, which benchmarked over 1500 IT organizations to conclude which practices led to improved performance.

Along with some trusted collaborators and fellow travelers, I believe that the conditions are now very favorable to propose some new solutions, dramatically different than the status quo.

In addition to spending half-time with my family, here are the three things that I intend to complete in the next two years:

Project #1: Finish My Book: “When IT Fails: The Novel”

Finish the novel “When IT Fails: The Novel.” The novel describes the fall and eventual triumph of the CEO and VP IT Operations of a 100 year old, $4B/year company at the brink of existential failure.

The CEO must close the gap with the competition.  But the two most critical projects necessary to achieve this are years late and way over budget, mostly because of IT. Furthermore, the company is losing customers due to outages and fragile and insecure IT infrastructure, SOX-404 IT audit findings are jeopardizing their 10-K with disastrous footnotes, PCI compliance failures threaten to damage the company brand, and developers are taking dangerous shortcuts in order to meet external promises.

It starts to dawn on the CEO that his survival now depends upon the success of IT and information security. And while he believes that IT is not their core competency, he learns that the company cannot function without it, and is therefore a competency that they must develop.

You can learn more about the book here.

Project #2: Start An Exciting New Venture

During my thirteen years at Tripwire, I was very focused on the mechanics of how organizations can detect and manage configurations and changes.  But in reality, the problem actually starts far upstream, in how the business and IT organizations made decisions that necessitated those changes.

I am starting a new venture to develop the methods, procedures and enabling software tools needed to support the transformations described in “When IT Fails: The Novel.”

I am very excited to be working with some very talented and trusted colleagues, so stay tuned for more details.

Project #3: Continue Engaging With Kick-Ass Communities Of Practice

Work with the communities that I believe will be an instrumental part of creating the management movement to change how IT is managed.  These include: DevOps, PCI Security Standards Council, Service Management, the Institute of Internal Auditors, the Software Engineering Institute, and I know I’ve forgotten mention some others!

I’ve had tremendously productive collaborations with these groups, as well as forming lasting friendships.  And I believe bigger and better achievements are still to come.

So Stay Tuned!

Thank you again for all your support, and I look forward to collaborating with you in this new chapter my new story.  If you want information on my progress, follow me on Twitter or subscribe to my newsletter.

Later this week, I’ll post my internal email announcement of my departure to the company, as well as pictures from the amazing farewell party that they threw for me.

(Reprinted from personal blog entry)

Previously, I wrote about my blog post “Upset about the subjectivity and ambiguity in the PCI DSS compliance standards? My #BSides submission on the answer…”  In that article, I suggested that in order to improve the state of the practice for PCI, we should look at the similar symptomology that happened in Year 1 and Year 2 for the IT portions of SOX-404.

Last week, during one of the working calls I had with my PCI Scoping SIG team, I dug out some of the early presentations I did as we were launching the GAIT project at the Institute of Internal Auditors.

The approximate timeline of the project began in July 2005 when we held our first summit, to February 2007 when the GAIT guidance was officially announced. (more…)

(First a disclaimer: Although I am part of the leadership team of the PCI Scoping Special Interest Group, everything in this article are only my opinions, not anyone else’s, or an official position of the PCI Security Standards Council.)

Don’t get me wrong.  I think the mission behind the Payment Card Industry Data Security Standard (PCI DSS) is critical one: ““improve the security of global payment systems by protecting consumers, merchants and banks from credit information theft and loss and subsequent fraudulent activity.”

Given the fact that millions of cardholder records continue to be stolen show that there is a need for significantly increased discipline and rigor around the necessary controls required to protect cardholder data.

But as organizations mobilize to comply with the PCI Data Security Standard, they’re finding that it’s a huge project.  Like really huge.  Many organizations are finding that complying with PCI DSS will require more project hours than the organization has!  Even if the only project they had to complete was “comply with PCI,” even then, wouldn’t be able to complete it in one year!!

Even for organizations that don’t have over ten-thousand project hours dedicated to PCI, PCI compliance is still sucking up all the air in the room, starving a gazillion important projects of necessary resources.

One of the most frustrating aspects of PCI, though, is the standoff between the organizations who have to comply with the PCI DSS, and the Qualified Security Assessors (QSAs) that audit them for compliance.

The interaction may sound like this:

• Organization: “We have isolated our sales order entry systems as best as we can, and believe we are still effectively protecting cardholder data. Due to an architectural decision, we can’t partition off these systems from the rest of the business processes.”
• QSA: “I understand. But, we’re still liable for our role. So, your entire 20,000 systems will be in the scope of the PCI assessment.”

Maybe it’s not 20,000 systems that are being argued about.  Maybe it’s the CEOs laptop, even though the CEO isn’t entering customer orders or able to retrieve cardholder records.

I think this is an important topic.  So, here’s the topic that I’ll be submitting for this year’s Las Vegas #BSides conference.

“Properly Mobilizing the PCI Resistance: Lessons Learned From Fighting Prior Wars (SOX-404)”

I have noticed that there is a growing wave of discontent and disenchantment from information security and compliance practitioners around the PCI DSS.  Josh Corman has been an effective voice for these concerns, providing an intellectually honest and earnest analysis in his talk “Is PCI The No Child Left Behind Act For Infosec?”

The problem are well-known and significant: too much ambiguity in the PCI DSS, Qualified Security Assessors (QSAs) and consultant using subjective interpretations, existing guidance either too prescriptive or too vague, scope missing critical systems that could risk cardholder data, overly broad scope and excessive testing costs, excessive subjectivity and inconsistency, poor use of scarce resources, no meaningful reduction in risk of data breaches, and so forth.

For years, I have been studying the PCI DSS compliance problem, as well.  I have noticed many similarities to the PCI compliance challenges and the “SOX-404 Is The Biggest IT Time Waster” wars in 2005.  I was part of the leadership team at the Institute of Internal Auditors (IIA) where we did something about the it. We identified inability to accurately scope the IT portions of SOX-404 as the root cause of the billions of dollars of wasted time and effort, while not reducing the risk of financial misstatements.

I propose to present the two-year success story of the IIA GAIT project and how we changed the state of the IT audit practice in support of SOX-404 financial reporting audits.  We defined the four GAIT Principles, which could be used to correctly scope the IT portions of SOX-404.  We mobilized over 100K internal auditors, the SEC and PCAOB regulatory and enforcement bodies, as well as the external auditors from the 8 big CPA firms (e.g, Big Four and other firms doing SOX advisory work).  In short, we made a difference, in a highly political process that involved many constituencies.

I am attempting to do something similar with the PCI Security Standards Council, through my work as part one of the leaders of the PCI Scoping SIG (Special Interest Group).  My personal goal is to find a “third way” to better enable correct scoping of the PCI Cardholder Data Environment, and create a risk-based approach of substantiating the effective controls to ensure that cardholder data breaches can be prevented, and quickly detected and corrected when they do occur.

My desired outcome is to find fellow travelers who also see the pile of dead bodies in PCI compliance efforts, and work with those practitioners to catalyze a similar movement to achieve the spirit and intent of PCI DSS.

There is a better way…

I’ll be writing a lot more on this.  Here are some topics I’m hoping to cover in the next couple of weeks:

On GAIT and SOX-404:

• a history of the GAIT for SOX-404 project
• examples and analysis of inappropriate SOX-404 scoping
• the method behind the madness: why did GAIT work?

On it’s application to PCI:

• what principles can be ported over to PCI DSS?
• conversation with Josh Corman on “inside baseball talk: how does the PCI SSC and the SIGs work?”

And some very exciting news on how the PCI Scoping SIG is doing:

• the thought process behind the solution
• desired outcomes and guidance
• a report on our progress and work in process on solving this problem

And most importantly, what can you do to help?

Of course, the last point is likely the most important one.  There are things you can do to help the movement.  Interested in learning more, or is this a hysterical person on a lonely crusade against an imagined problem?

Thanks, and looking forward to your comments!

We have been talking with Gene about various audit horror stories. In this episode Gene aptly names this “How did we get hacked even though we passed the audit?” Compliance is a point in time if you approach it as a project you have to complete for a test. Many people approach compliance initiatives such as PCI or SOX404 in just this way. A point to consider is that when you are secure compliance is free – not vice versa.