Recently Nick Selby posted on FudSec his article on Showing the Oblomovs the Door. For those who care, an Oblomov or Oblomovism is considered a lazy or apathetic person or belief. The blog post claims that information security professionals are “well-trained, well-intentioned” but “reduced [to] a series of relentless box-ticking” due to being “saddled with compliance management.”
The blog post further claims:
The CEO who lets the Security organization become the compliance department has abdicated to the government and Payment Card Industry his responsibility to understand and manage organizational risk. That is a fiduciary breach of CEO responsibility to shareholders. In addition to firing your ass, this should also be a floggable offense.
I agree one should use compliance as a guideline but manage it with respect to the business process. I disagree with the fiduciary statement on grounds that one cannot claim a breach based on sparse case study and singularity statements. The writer says this to bring grandeur to their claim.
The important part of this statement is that we are focused on the individual company here and their personal responsibility. Remember, if you ever want to get something done don’t pass the buck.
The author, frustrated with the current implementation of compliance, states, “I stomped away from trying to influence security as an analyst because compliance … has managed to suck every ounce of oxygen from the room that is the security industry.”
Let’s just remember that history has shown that in the absence of legislation there exists a downward spiral of corporate responsibility towards protection of customer/consumer information and the well being of others. To support this I point to the moments of punctuated equilibrium that lead to things such as the Food and Drug Administration (FDA), the Securities and Exchange Commission (SEC), marginally improved ecological laws in China, and the current global financial crisis — to name a few.
Let’s also take a moment to remember that regulatory compliance has been raising the bar of information security since 1999, starting with GLBA, then with HIPAA and SOX, and finally with PCI DSS. Is it because PCI DSS impacts most all business verticals on a global basis that it receives the most abuse from those who feel burned out?
Might I remind you that without such efforts the number of data breaches would be higher, much higher, than we see now because people find it easier to blame someone or something else rather than take personal responsibility for their own work. The Information Security Management Handbook, by Tipton and Krause, has a section on diffusion of responsibility.
People behave differently based on the perception of being part of a group as opposed to being an individual. It has been commonly observed that people tend to work less in a group than as individuals when only group output is measured. People, in addition, tend to feel less responsibility in a group than as a single individual. The bigger the group, the lower the felt sense of responsibility. Social scientists call this diffusion of responsibility and the phenomenon is commonly observed across all cultures.
I believe that instead of blaming others, we as information security professionals need to become an agent of change starting with ourselves and our current environment and expanding outwards.
The blog then claims:
At this writing it’s unclear whether Black Hat and DefCon demonstrations will include the PCI-compliant account skimmers we’re heard of, but the fact that they’re out there stands testament to the Pyrrhic victory that is the PCI Data Security Standard.
Please remember, the PCI DSS is meant to protect against the electronic and paper theft of payment card data. It is not meant in any way to prevent credit card skimming. If you wish to raise the issue of skimming, please use the correct approach which is to clarify the need for a more secure payment card. That of course gives way to the larger question of what is proper capital allocation and the conundrum of offline transactions and backwards compatibility.
I agree, sadly, with the blog post when it says, “PCI is not the minimum standard, it’s the maximum effort that many organizations make.” The question I have is, based on historical precedent (see above): are we better off with or without a carrot-and-stick approach? What impact has HIPAA had on the security of health care records vs PCI on the payment card industry? In which area do we see more movement?
Certainly, movement does not always imply movement in the correct direction, but I would claim that basic items such as PCI DSS Requirement 3.2 which tells merchants and service providers to not store sensitive authentication date post-authorization has done wonders to the security of our payment card data. How better to secure the data than to remove it in the first place? We are seeing trends in this direction more and more in this industry and others.
But isn’t it better to have a minimum standard than none? What if the minimum was for companies to do nothing?
Jeremiah Grossman stated, “nothing did more to build webappsec awareness than pci-dss. Now we need something to improve webappsec security.” I could not agree more, but let’s please remember that without awareness of a problem you cannot bring clarity or correction. People love to lambaste and transfer responsibility to others, all the while stomping away from personal responsibility.
If your company or those around you fail to see the forest through the trees of ‘industry best practices’ when I wonder if they are fit to run the information security department. Those who complain that ‘compliance’ is the problem are transferring responsibility to industry standards instead of working to secure their own infrastructure.
Do such standards need correction and evolution to mirror the evolving threat of attackers and the continued evolution of information security practices and technology? Certainly! I support Mr. Selby in his goal to drive higher standards and move towards risk management, but let’s do so by taking individual responsibility for our own management of risk.
Mr. Selby claims, “all this compliance stuff is preventing us from addressing risk and performing, you know, security.” Why? Did someone tell you that you cannot secure your data? Did someone tell you that by using proper the proper risk management practices you claim work so well that you cannot pass the “minimum standard”? I support you in questioning and ferreting out anyone who makes such statements. For the rest of the unwashed masses, we need standards.
Mr. Selby ends his rant with a statement everyone should agree with, “Compliance – the state of being – is achieved as a by-product of well-managed risk, not through a relentless ticking of boxes”, which is then followed by high-level statements of positive thinking. The problem is that we need some tactical examples and guidelines to match the ever increasingly vague strategic statements. GLBA says to safeguard customer information, but how? And left to their own devices most companies will chose the cheapest possible way to implement optics of compliance.
I argue, that the PCI DSS has given concrete statements to how one secure their infrastructure, while giving the flexibility one needs to adjust for business and risk management (e.g., compensating controls, wireless and end-t0-end encryption guidelines.)
The problem lies not with our industry “best practices” but with the diffusion of responsibility that happens throughout every company. Let’s reference back to that Information Security Management Handbook article:
The effects of de-individualization and individualization are real and play a role in how users perceive their role in an information security awareness program. In the credit card processing call center example, de-individualization can encourage theft, carelessness, and loss of productivity.
I’d like to stop the blame game and see everyone start at home, transforming their company and being neighborly enough to share the information and results with others. Revolution has often come from emerging evolution of ideas and conversations. I commend Mr. Selby for the conversation, but wish it involved a greater focus on personal responsibility.
Take responsibility for your own security, risk management, and data protection. Start today.
Are you suggesting that PCI is a “carrot-and-stick” approach? Companies are PCI compliant to avoid punishment (fines), perhaps a better analogy is in order?
This is great stuff, Mike. I’ve been grappling with similar issues the last few months – under the guise of “responsibility without authority” – a problem of enablement that I think we’ve encouraged in the security industry. fwiw.
http://www.secureconsulting.net/2009/07/on_responsibility_without_auth.html
Pingback: Network Security Blog » Two must read posts on PCI
Great post! I totally agree with that – here is another post that points out your saying about data security and responsibility. I recommend reading the 1st and the 3rd posts.
Excellent post, Mike, and I’m glad you wrote it (you raise great points). I think you misunderstand my main point. Interestingly, my post was entirely about personal responsibility. What I said was that abdicating your security stance to that dictated by rulesets was a breach of your fiduciary duties to shareholders; that compliance [to rulesets] is achieved as a result of well-managed risk (that is, taking responsibility for risk results in doing the right thing in the first place) and that CEOs who hand the government or PCI the reins to state the minimum standards as writ deserve to be fired. That is absolutely and totally about personal responsibility, moreover it is about integrity.
My post advocates is the separation of compliance tasks from the security department and an expansion of communication within organizations between traditional information security and other caches of useful security data. Of course I think frameworks and rulesets are a useful part of an organization’s IT strategy, but I repeat that compliance is not security.
Your comment about history showing that in the absence of legislation there exists a downward spiral of corporate responsibility towards protection of customer/consumer information and the well being of others? That’s a religious debate I won’t enter, but will say that, for example, breaches have and always will happen and that industry rulesets like PCI DSS has not stopped them any more than SOX prevents corruption and falsification of records. Compliance is not security, even when it’s compliance with a ruleset intended to increase security. I raise again the point that rulesets treat as static and definable that which is ethereal and constantly changing. I’m sorry you missed the skimmer relevance; I’ll let my blog post stand as is.
With respect to the question or whether someone said we couldn’t secure data, my point is that, with their hands full of compliance tasks, many organizations don’t have the resources or time to to proactive security.
Concrete, tactical example of how I believe organizations should cooperate? In the simplest of a thousand examples, marketing departments almost certainly have information on brand abuse. Only in the most forward-thinking organizations is this shared with the information security department (it’s a great leading indicator of hanky panky and could speak to issues of brand management, piracy, counterfeiting and even physical threat), when that and data like it should ALL be being shared to help bring awareness of risks to senior management.
Thanks again for this – it’s a really important discussion and I hope to continue it!
Nick,
I think we both agree more than others might imagine and I appreciate your call today to discuss the issues.
Long term we need to evolve any process we have that includes a movement towards both risk management (RM) and a capability and maturity model (CMM). This is the industry natural evolution of information security that many of us have heard being expressed for years.
I want to move the conversation forward while keeping the focus on individual self improvement, which for many larger companies will involve RM & CMM.
Pingback: Interesting Information Security Bits for 08/10/2009 | Infosec Ramblings
Pingback: Chaordic Mind » Personal Responsibility in PCI