Maturity and Convergence at the PCI-SSC Community Meeting

I attended the PCI-SSC community meeting this past week (September 22-24). There were three key issues discussed that showed that the PCI program is maturing and that a number of standards and regulations are converging (both in and outside the PCI world).

The first issue signaled that the council’s view of IT risk is maturing. Bob Russo made it very clear in a couple of his presentations that organizations need to focus on security as opposed to just compliance, although there wasn’t a lot of detail offered on how to do this. The presentations mainly focused on ensuring that complying with the PCI standard is a year-round activity/program and not something just done for the audit. I’d argue that moving from compliance to security is a philosophical shift that occurs when organizations mature in how they deal with IT and business risk. Generally, the financial services organizations within the PCI community get this. It’s interesting to note that the driver for the council’s new views appears to be the very public breaches that have occurred within PCI-covered organizations over the past 18 months. So, the council has felt the impact. The key question is how the council will help the greater PCI community understand and mature their approach to IT and business risk.

The second, closely related topic was the focus on moving to more of a risk-based approach to implementing the PCI DSS. The council was only lukewarm to this idea, and I agree with their hesitation. Managing a risk-based approach may be something that is incorporated over time, but it adds too much subjectivity to the current PCI program. I think that until more organizations fully and truly implement PCI, such an approach will only muddy the waters. That said, incorporating risk as a consideration is important to an organization’s compliance efforts. As I mentioned above, I think the most pertinent issue is to get PCI-covered organizations to understand IT risk and how it translates into risk to their business. While assessors and many of the banks understand this, some merchants are still a ways off in getting to this level of maturity.

The final and much broader issue related to general standards. The council has always relied on NIST as a guideline, but this year there was much more discussion surrounding NIST, FISMA, and future regulations that will impact PCI. In the keynote, former Congressman Tom Davis discussed the process of passing FISMA. His prediction was that any new information security legislation was not going to happen in the near term. Nonetheless, there appears to be a converging consensus on the value of the existing FISMA and NIST standards. The nuclear power industry, NERC, and a number of the ISACs are strongly considering moves and potentially longer-term mandates that use these federal standards as their direct basis. Ultimately, I think it is very likely that many organizations will use significant portions of these federal standards as their basis. This could be both good and bad and is much easier said than done, but simplification and consistency should help all industries and information security in general.

Overall, the conference was a good barometer on the maturity of the PCI community and I think that, although there have been issues, the program is moving in the right direction.


Security, Compliance, and the New Retail Economy

As the PCI Community Meeting is set to start tomorrow, I have been thinking about the current state of the retail marketplace and what that means for NetSPI’s focus–security and compliance. During the down economic times no retailer really came through unscathed. Everyone suffered to some degree, but even during the most difficult periods of this recent recession, retailers that were well-run and focused on a strategic vision managed to weather the storm and to prepare themselves for the coming improvement in market conditions. Interestingly enough, during this same period the attitude towards compliance and security also shifted within the management ranks at these same organizations. What was once something they hoped to avoid became not just accepted, but in some ways welcomed. The realization that compliance and security were not just checklist items, but rather could provide strategic advantage really sank in, and these leading retailers began to use the requirements of PCI (for example) to re-invigorate broader security initiatives and to use any technical or policy adjustments as opportunities to simplify their security scope and implement better overall security policy. NetSPI’s retail clients expanded their security efforts during these poor economic times and now sit in a position where they can leverage that effort into a better experience for their customers as well as for their own employees. For them it was another facet of their plan to better position their company to lead in an improved economy.

We are now starting to see that trend expand to retail organizations that have been harder hit during the recession. Organizations that are in transition are also starting to see the light and to understand that, by taking a strategic approach to compliance and security, they will ultimately position themselves to fit better with the new attitudes of consumers. Consumers are not as brand-loyal as they were before the economic challenges and are far less forgiving of a retailer that doesn’t take their private information seriously. With the economy showing signs of improvement, a rebirth is beginning in the retail space. Activities that have been conspicuously absent for the last few years–acquisitions, major technology investment, location expansion, and even IPOs–are starting to make headlines in the trade magazines and the broader press. This is a good sign for both the retail community and our economy at large, but the organizations that will take the lead over the next few years and separate themselves from the pack are those companies that have both a strategic vision (which includes security) and the ability to execute effectively.


Cyber Security and Nuclear Energy

I attended the Nuclear Information Technology Strategic Leadership (NITSL) conference last week, which featured some very interesting discussions on cyber security. One of the keynote speakers described the state of the industry’s physical security, which, when compared with information security, is in very good shape.  She discussed the quite substantial investment that her organization had made over the past eight years.

In general, since 9/11 the nuclear power industry has spent billions on physical security upgrades and programs at US plants. This spending is in addition to the significant budgets for physical security allocated since the industry’s inception. Physical security has always been well addressed systematically within plants. This means significant security input from design (Design Basis Threat analysis) through post-implementation testing (Force on Force Drills). Annual spending per plant on physical security is estimated at $10M to $15M.

The impact of a physical security event has the potential to be catastrophic. At the upper end of impact, these events range up to compromise of the core reactor itself. While the impact of an event of this nature would be catastrophic, this risk scenario was planned for in initial plant design and with subsequent physical security programs. So, while the potential impact may be great and the threat high, because of significant risk mitigation through design and ongoing physical security programs, the overall risk is low.

While the impact of a cyber security incident may not be quite as dramatic, it still has the potential to be very damaging. As plant IT environments become more networked and control systems are integrated within IT, the potential for a catastrophic event based on a cyber security incident greatly increases.  The threat level is orders of magnitude higher at a nuclear power plant; they are attacked on an ongoing basis.

At the conference last week, the discussion revolved around what the final cyber security standard will be for the industry. There have been steps to develop a common risk and compliance framework through the NRC and NEI, but there has not been agreement on how to secure the US nuclear power industry. This needs to be addressed immediately (and one hopes it will be), but more importantly, power companies and plants need to begin to allocate appropriate budget to implement and maintain their cyber security programs. The investment will be substantial, and the organizations will need to plan accordingly. One way to look at the budgeting for cyber security is that, while it may not be quite as costly as physical security, it will be on that order of magnitude.