Skip to content ↓ | Skip to navigation ↓

Matt posted my video interview of Josh Corman here. I’ll be posting a more complete analysis of Josh’s now famous talk, “Is PCI The No Child Left Behind Act For Information Security?” You can read Bill Brenner’s interview of Josh on CSO Online here (great article title: “Analyst: PCI Security a Devil, ‘Like No Child Left Behind”).

I very much appreciated the thinking and analysis that went into Josh’s talk. I have observed the enormous effort that is required to comply with the PCI Data Security Standard, and when done poorly, doesn’t achieve compliance or information security goals.

This is a very important problem in this economic environment, given the amount of time and resources that PCI compliance programs are consuming.

And incidentally, why I helped create and am part of the leadership team of the PCI Scoping Special Interest Group (SIG), which is one of the primary ways for the PCI Community to change the state of the practice. I observed many of the same phenomenas happening that happened in the first two years of SOX-404 — there are things we can learn from and apply in the world of PCI.

I’ll be writing more about this in my next blog post.

But, first, here is my Twitter stream from Josh’s talk. (Thanks to TwimeMachine for making it so easy to grab these, as they disappeared from Twitter search.)

Great work, Josh. You’ve put your finger on a very important issue. More commentary on your talk to come…

.@joshcorman talk: siting in on Josh’s “Is PCI The No Child Left Behind For Security” — this is yr #3 for comment/criticize PCI @ #interop Wed Apr 28 18:33:16 +0000 2010

.@joshcorman talk: Observes that PCI SSC has been slugging in responding to industry needs: points to virtualization guidance #interop Wed Apr 28 18:33:55 +0000 2010

(BTW, disclosure time: I’m on the PCI Scoping SIG, trying to address many of the issues that Josh brings up.) #interop Wed Apr 28 18:34:30 +0000 2010

.@joshcorman talk: “cost of PCI compliance is absolutely unacceptable. infosec spend: 4% to 9%. Cuz of cost/complexity” #interop Wed Apr 28 18:35:45 +0000 2010

.@joshcorman talk: “since 1984, almost every infosec penny spent on external threads. Now 50-70% on regulatory compliance” #interop Wed Apr 28 18:37:08 +0000 2010

.@joshcorman talk: “consequence? infosec giving up on risk mgmt, focusing instead on what other people want you to do.” #interop Wed Apr 28 18:37:31 +0000 2010

.@joshcorman talk: “Why focus on compliance instead of security? I might be hacked, but I will be fined.” #interop Wed Apr 28 18:38:06 +0000 2010

.@joshcorman talk: “Another external factor: budgets are down, b/c of recession.” (i.e., compliance sucking all air in the room) #interop Wed Apr 28 18:40:13 +0000 2010

.@joshcorman talk: “Increasing cost of compliance is creating existential threat to organizations” #interopWed Apr 28 18:40:53 +0000 2010

.@joshcorman talk: “I’m engaging with QSAs, and victims of PCI. Trying to engage in intellectually honest discussion” #interop Wed Apr 28 18:41:36 +0000 2010

.@joshcorman talk: “I want PCI to be successful: needs it to be better and more deliberate” #interop Wed Apr 28 18:42:34 +0000 2010

.@joshcorman talk: “PCI has done something fantastic: created budgets where there was none before. Infosec isn’t recession proof” #interop Wed Apr 28 18:43:23 +0000 2010

.@joshcorman talk: “compliance may lower the infosec bar, because of ‘check the box’ mentality'” #interopWed Apr 28 18:45:10 +0000 2010

.@joshcorman talk: “PCI creates monoculture for merchants.” (Ermm.. Not a bad things, necessarily) #interop Wed Apr 28 18:46:55 +0000 2010

.@joshcorman talk: “Quote: ‘PCI is the devil’, from CISO complaining that PCI budget went away after proj completed” (That’s life) #interop Wed Apr 28 18:47:37 +0000 2010

.@joshcorman talk: “‘PCI is the devil’ comment form Josh led to standing ovation from CISO. Fear auditors more than attacker” #interop Wed Apr 28 18:49:08 +0000 2010

.@joshcorman talk: “No Kid Left Behind: meant to make dumb kids smarter. instead, it has squeezed kids to middle” #interop Wed Apr 28 18:50:03 +0000 2010

.@joshcorman talk: “No Child Left Behind: is also an unfunded mandate. Sound familiar?” #interop Wed Apr 28 18:50:35 +0000 2010

Answer: move to principles based guidance, like GAAP. RT @blazing_b: @joshcorman if PCI mvs to 3 year rev cycles, how can it keep up? Wed Apr 28 18:51:23 +0000 2010

.@joshcorman talk: “it’s not easy to pass the audit. PCI bellcurve: negligent, avg, advanced” (they’re doing it wrong..) #interop Wed Apr 28 18:52:44 +0000 2010

.@joshcorman talk: Nice diagram showing ecosystem of threats vs vendors and startups. 70 infosec markets now (thank u analysts!) #interop Wed Apr 28 18:54:28 +0000 2010

.@joshcorman talk: “”vendor R&D $$ going to regulatory compliance, instead of threats; creating econ disincentive for innovatoin” #interop Wed Apr 28 18:55:44 +0000 2010

.@joshcorman talk: “VC dollars moving away from infosec” (really? and if so, who cares? :-) #interop Wed Apr 28 18:56:21 +0000 2010

.@joshcorman talk: “trusted security advisor/vendor used to work” (see Rick Moy’s talk abt how vendors failed Aurora response!) #interop Wed Apr 28 18:57:44 +0000 2010

.@joshcorman talk: “APT is wildly irresponsible marketing and a real threat.” #interop Wed Apr 28 18:58:29 +0000 2010

.@joshcorman talk: “PCI encourages using OLDEST counter measures vs NEWEST theats” (problem w/specifying ctrls instead of ctrl objs #interop Wed Apr 28 19:03:28 +0000 2010

.@lamw APT = Advanced Persistent Threats (or advanced persistent adversaries, like China Google attacks) Wed Apr 28 19:03:58 +0000 2010

My guess: In our lifetime. :-) RT @blazing_b: @RealGeneKim and how long will that take Wed Apr 28 19:04:38 +0000 2010

.@joshcorman talk: shows yearly graph of PCI releases vs data breaches. Going wrong way. (Funny, but he sez intellectly dishonest) #interop Wed Apr 28 19:06:21 +0000 2010

.@joshcorman talk: “@alexhutton: ‘we don’t have enough data to know that PCI is working” (wait, I think we’re actually close) #interop Wed Apr 28 19:08:04 +0000 2010

.@joshcorman talk: “Verizon data breach report: only 6 of 90 breaches could have been addressed by patching” (interesting) #interop Wed Apr 28 19:09:11 +0000 2010

.@joshcorman talk: “Facts don’t substantiate insider being dominant threat” (sigh. so prone to misinterpretation) #interop Wed Apr 28 19:10:41 +0000 2010

.@joshcorman talk: “AV is most expensive infosec tool, but least effective. Why in PCI?” (Soln: stick to control objs, not ctrls) #interop Wed Apr 28 19:11:51 +0000 2010

.@joshcorman talk: Sigh. Many of Josh’s issues go away if PCI stuck with specifying control objectives, instead of controls. #interop Wed Apr 28 19:12:55 +0000 2010

I don’t know! The esteemed @jpironti will know! RT @daniel_eason: @RealGeneKim is this preso being recorded? Wed Apr 28 19:13:36 +0000 2010

.@joshcorman talk: “PCI has accidental scope, often very diff than intended scope” (Yes! Scoping error is one of the root causes!) #interop Wed Apr 28 19:14:31 +0000 2010

.@joshcorman talk: I’d like to work with @normanmarks on talking about implic of PCI scoping errors… #interop Wed Apr 28 19:15:14 +0000 2010

.@joshcorman talk: “Oct 10 revisions: network and system search for cardholder data, oneway hashing PANs, 3 yr cycle, segmentation” #interop Wed Apr 28 19:17:46 +0000 2010

.@joshcorman talk: “Missing from Oct 2010 revisions: virtualization, cloud, *aaS, even more egregious given move to 3 yr lifecycle” #interop Wed Apr 28 19:18:54 +0000 2010

.@joshcorman talk: I think Josh is the Sarah Palin of the anti-PCI movement? :-) An effect voice, channeling frustration #interop Wed Apr 28 19:20:44 +0000 2010

.@joshcorman talk: “Some say PCI is too specific, some say not specific enough” (argh. No, shifting to ctrl objectives is answer) #interop Wed Apr 28 19:21:35 +0000 2010

.@joshcorman talk: “@jack_daniel: Threats are typically 2 yrs ahead of industry; compliance 2 yrs ahead of compliance” #interop Wed Apr 28 19:24:03 +0000 2010

.@joshcorman talk: “Addressed to PCI SSC: lead, follow, or get out of the way, esp given how much $$ being spent by industry” #interop Wed Apr 28 19:24:32 +0000 2010

.@joshcorman talk: “1) PCI is not going away. 2) PCI DSS needs to be contained, 3) Needs to be intellec honest” #interop Wed Apr 28 19:25:19 +0000 2010

.@joshcorman talk: “A lie? ‘no breached companies were compliant at the time of the breach'” (Logically tears this apart) #interop Wed Apr 28 19:26:21 +0000 2010

.@joshcorman talk: “VzB Data Breach Report: 1/3 breaches didn’t have evidence in the logs” #interop Wed Apr 28 19:27:25 +0000 2010

.@joshcorman talk: “Give relief to middle and high achievers, instead of punishing them.” #interop Wed Apr 28 19:28:53 +0000 2010

.@joshcorman talk: “Idea: create new center of gravity: Jericho forum to provide list of alternative controls” #interop Wed Apr 28 19:29:35 +0000 2010

.@joshcorman talk: (showing famous PCI Rocks school-house rock video. Suggesting lack of seriousness?) #interop Wed Apr 28 19:32:35 +0000 2010

.@joshcorman talk: “PCI Rock demonstrates focus on low performers, instead of higher performers” #interop Wed Apr 28 19:34:50 +0000 2010