If you are responsible for cybersecurity or data protection in your organization, stop what you are doing and read this report. Actually, first, go patch your servers and applications and then read this report. Much like Verizon’s Data Breach Investigations Report (DBIR), the Payment Security Report (PSR) is a must-read for security professionals. While it focuses on the PCI DSS standard and reviews compliance related to its 12 requirements, it is much more than a review of how companies are doing regarding PCI compliance. The compliance statistics are informative and show some alarming trends about how well companies are protecting payment card data. Those trends should cause any CISO to look closely at how their organization is handling data protection – and not just for payment cards. Critical data needs protecting regardless of how it is used. The PCI standard is broadly applicable, and the controls are just as effective for PHI, PII, and other sensitive data.
Key Finding – Companies Aren’t Doing Vulnerability Management
For me, the key finding in the report is this: organizations are failing to implement a vulnerability management program. According to the report, over one-third of companies are not ensuring that vulnerability scans are running or are not examining those reports when they do run. Those companies may not be scanning at all, and even if they are, those scans aren’t doing any good. Further, a full 28 percent of companies aren’t ensuring that system components are protected from known vulnerabilities. This tells me that companies don’t know about vulnerable systems in their environment and are therefore not doing anything to protect themselves against exploits and data breaches. This is surprising because scanning, reviewing, and patching are relatively simple processes to implement. That isn’t to say they are easy, but given the positive impact vulnerability management has on security posture, this should be a high on the priority list. See vulnerability management best practices and the vulnerability management pages on The State of Security
Major Surprise – A Valuable Toolbox
When I downloaded the PSR, I expected the usual treasure trove of data Verizon usually provides. What delighted me, however, was the report provided a very accessible way to improve security and compliance posture. The first thing that I noticed is the focus on a data protection program and not just a set of tools or best practices. A program ensures continuous compliance and focuses on protecting data rather than just passing an audit. Secondly, Verizon goes a step further and provides a framework for establishing this program and measuring its maturity. The 9-5-4 framework is named for the model’s components: 9 factors of the compliance program, 5 constraints governing the program, and the 4 lines of assurance for the program. This post won’t go into details about the model, (That would warrant its own treatment.) but I will enumerate the five constraints because I feel they have universal application:
- Capacity – Do you have the resources necessary? (Add more or reduce scope.)
- Capability – Do you have the capabilities in place? (Add tools, ability to operate them.)
- Competence – Can you use the tools well? (Add training or augment with technicians.)
- Commitment – Do you have the support you need? (Prioritize data protection, demonstrate program value.)
- Communication – Are the communication lines well established? (Build in good communication plans that travel both up and down as well as across the organization.)
Lastly, there is a very nice section covering maturity models. The general use of this information makes it incredibly valuable. The concepts can be applied to information security programs, a DevSecOps maturity plan, or any program that you want to measure the growth of.
Conclusion – Use This Verizon Report
Reading the Verizon report is a good start, but the real value comes from implementing the recommendations. This will ensure greater data protection as well as help with audit compliance. If your organization is one of the thirty percent in need of a vulnerability management program, Tripwire can provide the assessment technology, the expertise, and even managed services to accelerate your maturity and shore up compliance commitments.
Editors note: For an alternative read, check out Equilibrium's blog, Recent Verizon report shows worrying global drop in PCI Compliance.