Lessons Learned on a PCI Readiness Engagement

I was recently involved in conducting a penetration test and helping a merchant prepare for their PCI examination.  A topic that often comes up during these pre-assessments is how and where to spend resources during the preparation.  The scenario often plays itself out where the merchant’s employees identify issues, they get put on a quick-hit list, and then cycles are spent fixing the issues discussed.  While these risks may be relevant I always have a tendancy to pull the customer off the keyboard for further discussion.

As most individuals know, security is not an absolute.  Security is about effectively managing risk.  There is no need to spend $100 securing an asset that is worth $1.  A more methodical approach is required.  I come from a technical background, and for MANY years thought all the work people put into risk assessments and regulatory compliance were for the most part not improving their security posture.  After I worked as a de-facto CISO for an insurance company I found I was wrong.

Limited budgets, limited time, and limited mind-share require organizing the risks to enable resources to be focused on the issues which most affect the organization.  I generally perfer the OCTAVE Allegro approach- it allows for the team to work in smaller groups.  The smaller groups are more managable and help mitigate the intensive political and cultural battles generally tabled in large audiences.

Lesson learned from this audit was that up-front education of the team on information security and risk management helps the team focus on the areas of greatest weaknesses, and political and cultural strife is contained.  The groundwork for a more comprehensive, consolidated, optimized, efficient, and organized risk management can be laid.