The Great PCI Security Debate of 2010: Transcribed
For those who prefer to read as well as listen, here's a partial transcript of the PCI security debate that appeared on CSO Senior Editor Bill Brenner's Security Insights podcast and Martin McKeay's Network Security podcast.
By Bill Brenner , Senior Editor
January 20, 2010 — CSO —
Network Security Podcast host Martin McKeay and I recently teamed up for a two-part debate on the pros and cons of the PCI Data Security Standard, with an all-star cast of IT security and compliance professionals. We got the idea for this face-off after 451 Group analyst Josh Corman gave a presentation in which he questioned the effectiveness of the PCI security standard and several IT security practitioners took exception to his description of it as being like "No Child Left Behind."
Along with Corman and the two of us, participants in this roundtable are Jack Daniel, a member of the National Information Security Group (NAISG) and one of the industry's leading activists, Ben Rothke, senior security consultant for BT Global Services, Dr. Anton Chuvakin (Ben and Anton are leading voices on PCI DSS and the authors of several books on IT security), Seattle-based security consultant Ward Spangenberg, and Michael Dahn, a PCI QA manager and director for the InfraGard National Members Alliance (INMA).
What follows is a partial transcript of the debate -- something to stimulate the appetite for more. If it works and you decide to catch the debate in full, you can listen to The Great PCI Security Debate of 2010: Part 1, and Part 2 at both CSOonline and via the Network Security blog.
We begin here:
After McKeay suggests that Corman's position on PCI DSS is "BS," Bill Brenner asks Corman to respond.
Josh Corman: I'm still not sure what we're crying "BS" on, so I'll try to re-articulate here: If you look at a normal bell curve for anything, whether it's No Child Left Behind or how mature a risk program is, there are under-achievers, the bulk in the middle and then there are people who do an excellent job. I've had the privilege to work with a lot of financial services, a lot of DOD [Department of Defense] contractors and the pharmaceuticals and they do a fantastic job. So, it would be a mistake for me to design a universal security program for the security elite. But it would also be a mistake for me to design a fairly expensive and time-consuming process for the neglectful.
I think it was Mike Rothman (of Security Incite) who said this is a Darwinist thing. There are certain people who will never do good security where you can beat them with a stick and they'll do exactly what you told them to do and they'll still have piss-poor security. You guys talk about how, as QSAs, you deal with laggards who can't even spell firewall but I've often dealt with people who do a decent risk program and understand that if there's a new attack vector or technology they need to take new measures to do something about it. What I see, instead of talking about the communities of the laggards and the elite, is something else.