One of the problems that many companies face is staying ahead of the information security curve. Go too fast and you run the risk of wasting capital, but run too slow and you run the risk of being compromised. So how a company can escape the hamster wheel of pain? Be proactive in managing risk and implementing a maturity framework for the organization.

In an attempt to balance the two domains of cost and security, a continual tradeoff, many companies have implemented regulatory compliance standards. These are good tools for measuring ones security to a known industry baseline. The classic example of this is the Payment Card Industry Data Security Standard (PCI DSS). Using standards like PCI DSS, companies can measure their adherence to eliminating sensitive data and protecting the remaining in-scope systems.

There are two problems with aligning an entire information security model along any singular guideline. It should be noted that, in the absence of any information security program, PCI DSS is a very good baseline standard.

The first challenge is the 0-to-100 problem. Some companies start with no information security program and try to adhere to something like PCI DSS. Much like measuring the acceleration of a car by how fast it can go from 0 to 100 miles per hour, these companies struggle with getting from 0 to 100 percent compliance in under 12 months. For these companies this means implementing security for the sake of a deadline, which means not always having the time to test what works and what does not.

The second challenge is the security limiter problem. Once companies reach 100 percent adherence to a given standard, many times they stop developing their information security program. These companies then enter a vicious cycle of identification and remediation. Each year, their auditors alert them to a new set of issues and, each year, the companies fix those and then relax until the following year.

So how do we escape this endless cycle of identification and remediation? How do we provide a way for companies to go from 0 mph to 50 mph in year one, 50 to 100 in year two, and still be inspired to go from 100 to 150 in year three? How do we become proactive instead of being reactive? One option for addressing these problems is the capability maturity model (CMM) that involves risk management.

A CMM is nothing new or innovative. It’s a useful approach for managing the maturity in a system. The Computer Security Handbook 4th Edition reveals that CMMs originated from software development. This book states that a CMM “can be used as a way to assess the soundness of a security product builder’s engineering practices during the many stages of product development.” If a CMM can be used for measuring the soundness of engineering practices, then why not leverage it to measure the soundness of information security practices?

A maturity model encourages continual growth rather than strict adherence to Procrustean boxes of information security. It’s the mathematical equivalent of the integral or the continual variable transmission of an automobile. It provides a smooth curve instead of designated endpoints of information security. For companies suffering from the 0-to-100 problem, a maturity model enables growth from 0-to-50 initially, with the projection of moving from 50-to-100 at a later date. Companies that suffer from the security limiter problem have the ability to continuously and proactively plan information security development to parallel growing business needs, instead of an independent set of criteria.

The Information Security Management Maturity Model (ISM3, or ISM-cubed) provides us with the intersection of information security and a maturity model for growing an information security program. ISM3 describes the process this way:

“Rather than focusing on controls, it focuses on the common processes of information security, which are shared to some extent by all organizations.

Under ISM3, the common processes of information security are formally described, given performance targets and metrics, and used to build a quality assured process framework. Performance targets are unique to each implementation and depend upon business requirements and resources available. Altogether, the performance targets for security become the Information Security Policy. The emphasis on the practical and the measurable is what makes ISM3 unusual, and the approach ensures that ISM systems adapt without re-engineering in the face of changes to technology and risk.”

In fact, the ISM3 is based in part on extending the Systems Security Engineering Capability Maturity Model (SSE-CMM), which is ISO standard 21827. The SSE-CMM “describes the essential characteristics of an organization’s security engineering process that must exist to ensure good security engineering.”

In addition, consider the Building Security in Maturity Model (BSIMM), which is “designed to help you understand and plan a software security initiative.” As well there is the, Open Software Assurance Maturity Model (OpenSAMM) project that can “help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization.” These frameworks exist as tools for helping develop the maturity of organizations and software through the use of measured metrics.

And metrics is where all the magic really happens. Only by measuring the maturity of an organization and matching it to the development and progress of known attacks can we demonstrate that we are maintaining the balance between costs and security. There is a saying that if you and your friend are being chased by a bear, you don’t need to outrun the bear — you need only outrun your friend. In the world of ever-increasing compromises, many companies struggle to stay ahead of the curve. A maturity model, with proper metrics, can help your organization do just that. The best part? Companies that implement a maturity model and show measured growth are many times more likely to adhere to industry standards such as the PCI DSS.

Today I’m switching gears to talk about something we all do but don’t often consider, LEVERAGE. This post explores ways in which we can leverage the world around us to to maximize our strengths. The areas we can leverage include our job (delegation), out career (social networks), our business (cost centers to revenue centers), and many more. Many of these are examples of chaordic frameworks, but let’s expand on a few of these to better understand them.

Martin Fisher kindly invited me as a guest on his Southern Fried Security podcast. He stipulated that we talk about something other than PCI, which made me very happy since I’ve been looking for a venue to discuss some of my ideas for leveraging the world around you.

You’ve seen it done in the movie The Matrix where Neo bends the world around him to dodge and eventually stop bullets. Let’s see how you can warp and leverage the world around you to maximize your ability to succeed in several areas of your life you.

Goal

Martin stipulated that we should focus on how “information security professionals (especially leaders) need to position themselves (e.g. subjects to learn/become more familiar with, conferences to attend, ideas/concepts to embrace) better for 2011.” Just like a life or career coach, let’s break this down into three categories we want to apply leverage:

• Job – by leveraging delegation either assigning tasks to others or taking on tasks of others
• Career – maintaining networks (social, physical, electronic) to help make you better (smarter, more employable, etc.)
• Business – turning cost centers into revenue centers

LEVERAGE your JOB

Long ago I had a manager who believed you could delegate anything. I thought this strange because to me there are some things you can easily get done yourself but assigning to others will take much longer. The problem with my old mindset is that you end up thinking you are the best person to perform 80% of tasks thus taking up all your time and preventing you from leveraging the skills of others. Remember, delegating is not just about getting other people to do work it’s about assigning tasks based on area of expertise or helping someone improve and expand their skill set.

Task #1 is to delegate to others tasks that can help them grow or maximize their skills to complete a project. Sometimes you won’t even know how a task will help someone grow until they complete it.

Task #2 is to time-share between those individuals who have taken on tasks and help them complete the task in a successful manner. Assigning and walking away is often worse than never assigning at all. For delegation to work you need to foster growth in those who are taking on the task and provide them the resources necessary to be a success. Sometimes these tools are connections, access to resources, providing experience, or building confidence in their own abilities. Sometimes these tools are timelines, deadlines, project management skills – whatever it is the individual needs to get things done.

LEVERAGE your CAREER

I landed my first job out of college via a job fair at the University. I landed my second job via Lee Kushner, a professional recruiter. Every job after that has been something I created myself or offered to me via my network of connections. Beyond the simple job search, leveraging your network of connections can be critical to almost every success you see in your personal career. When people talk about networks they may be discussing a wide range of topics including: social networks (twitter, facebook, linkedin); physical networks (co-workers, neighborhood friends, hackerspaces, meetups); or electronic networks (irc, email, phone calls). Everyone has a different way of leveraging these networks but we all do it – either to keep in touch with friends or build communities.

Task #1 to grow and farm your network is to make smart connections. You need to keep in touch. You need to help other build connections. Growing and farming a successful network is not about helping you get something out of it but helping your network get something out of being connected to you. It’s a strange thing in that regard that the most connected of us are not always the smartest individually but they are able to connect you to a smart or capable person in the area of your interest.

One of my end-goals is to “connect smart people” and so every time I meet someone I think of someone else I can connect them to. Working on a Bay Area art project? Reach out to Chris Rusak. Interested in lock picking? Reach out to Deviant Ollam. Want to know about creative data exfiltration techniques? Reach out to Iftach Ian Amit. Social Engineering? Mike Murray and Jayson Street. Need a job and are a skilled professional? Lee Kushner. The list goes on and on. Photography, life coach, physics, startup company … you name it and I’ve got a person for you to connect with.

Task #2 (and here is the tricky one) is to leverage your network to create a bigger/better network. But why you ask? Isn’t it time to “harvest” the network? No, never, nada. The hard thing for people to wrap their heads around with networking is that the benefits to you are natural side effects not pre-planned end-goals.

Community growth is organic and as such so should be the way you leverage them. For example, after starting Security B-Sides I though we could leverage the 10-15 events to help solve the “big problems” facing the information security community. Although not a bad goal, the idea that I could direct the solving of these “big problems” was an incorrect assumption. Instead, I encourage companies to get involved in the community and organically solicit interested participants in helping them solve specific problems they are facing. This type of involvement helps complete the organic virtuous circle of helping the community help itself.

I said it best via twitter:

Every time I think tools are for making products someone reminds me that tools are made to build more tools.

LEVERAGE your BUSINESS

Few people other than the CEO and CFO within a company think about things such as “cost centers” vs “revenue centers.” For example, the sales and delivery departments may be revenue centers while the marketing and IT department may be cost centers. Companies need to stop accepting these as a way of life and begin to think of ways to turn cost centers into revenue centers.

Case Studies:

IBM realized long ago that their internal IT department was really good at providing one great company with IT services. If the IT department could do good things for one company why not let it do good things for many companies? IBM stopped thinking of IT as a cost center and turned it into IBM Professional Services and expanded the services offered to create an amazing organization.

Kaspersky Labs realized early on that marketing can be a cost center, but only if you let it. They created a separately branded news company, ThreatPost, that grew into an organization until itself. Instead of hiring staffers to write all the articles they turned their marketing people until content farmers, connection people who wanted to write about smart things with an audience of readers who wanted to learn. In doing so they maximized their staff abilities to create more than any one individual could. ThreatPost has since expanded from the US into Latin America with locally written articles in Spanish and Portuguese.

Goldcorp had a problem in that it didn’t know where next to mine for gold. Instead of keeping it geological data secret it opened it up to the community and offered a prize for who could come up with the best place to mine for gold. This was a big risk as no other companies were offering up their valuable geological data online for anyone, including their competitors, to access. The payoff was huge and direct in their monetary return.

Task #1 is to re-examine the parts of your company from marketing and HR to IT and supply-chain-management. Every part of your company that is a cost center may have the potential to be a revenue center. Start questioning why you do things the way you do? Why do we write our own marketing materials? Amazon has users write book reviews for them. Why do we pay people to solve problems? Many companies have developed APIs and allow others to write plug-ins to their software. Find ways of letting other people solve your problems for you.

Task #2 is to pick one thing you want to convert from a cost center to a revenue center and focus on it alone. Like a scientist trying to determine the key factor in an experiment, do not get over zealous and try to convert everything at once. Remember that you are learning and want to take it one step at a time. Find one thing to revolutionize and become very good at. Wash, rinse, repeat.

There are several approaches and conversations surrounding the aspect of regulatory compliance, but the question remains, “What leads to excellence in organizations and the security they implement?”

The conclusion of this post is simple: Excellence within an organization is not achieved by measuring the compliance of an organization but by measuring the compliance of individuals and employees.

So how do we come to such a conclusion? To start we identify the main points for and against regulatory compliance:

• Pro: It raises the minimum level of security
• Cons: It creates a glass ceiling that either (1) prevents proactive organizations from implementing better security or (2) encourages reactive organizations to never excel above a certain point

Regardless of your opinion, both arguments focus around the precise level at which compliance measures an organization. Isn’t that interesting? Both the pro (for) and con (against) opinions seem to claim the same thing. This would be a good thing if it encouraged security without limiting organizations.

Already, PCI compliance (credit card security) has been compared with the No Child Left Behind or Elementary and Secondary Education Act (ESEA) within the United States. If this program is broken, let’s identify why, dispel false truths and come to a conclusion of how to learn from its lessons.

The fact remains, “nationwide: only 6 percent of U.S. students perform at the advanced-proficiency level in math, a share that lags behind kids in some 30 other countries, from the United Kingdom to Taiwan.”

Davi Ottenheimer wrote a summary of an article in The Atlantica titled, “Your Child Left Behind”. It goes on to dispel many myths about the No Child Left Behind Act. Eric Hanushek has spent “40 years calmly butchering conventional wisdom on education” including the following:

• More money does not tend to lead to better results
• Smaller class sizes do not tend to improve learning
• No U.S. state does very well compared with other rich nations
• Even relatively privileged students do not compete favorably with average students in other well-off countries. (In Illinois, the percentage of kids with a college-educated parent who are highly skilled at math is lower than the percentage of such kids among all students in Iceland, France, Estonia, and Sweden.)

“Per student, we now spend more than all but three other countries—Luxembourg, Switzerland, and Norway—on elementary and secondary education. And the list of countries that spend the most, notably, has little in common with the outcomes that Hanushek and his colleagues put into rank order. (The same holds true on the state level, where New York, one of the highest-spending states—it topped the list at $17,000 per pupil in 2008—still comes in behind 15 other states and 30 countries on Hanushek’s list.

If money, class size, and affluence of individuals do not impact classroom performance then why do we think that money, attack landscape, and intelligence of security professionals will impact the security of organizations?

Davi writes, “The exception to this lazy approach is the state of Massachusetts, which has followed a path that found success in other countries. It has directly intervened and introduced compliance.” But what kind of compliance? Was it simple testing that measured student performance against standardized tests? Nope.

The Atlantic gives us a glimpse into the answer. “What did Massachusetts do? Well, nothing that many countries (and industries) didn’t do a long time ago. For example, Massachusetts made it harder to become a teacher, requiring newcomers to pass a basic literacy test before entering the classroom. (In the first year, more than a third of the new teachers failed the test.) The state also required students to pass a test before graduating from high school–a notion so heretical that it led to protests in which students burned state superintendent David Driscoll in effigy. To help tutor the kids who failed, the state moved money around to the places where it was needed most. “We had a system of standards and held people to it–adults and students,” Driscoll says.”

So what works?

“Massachusetts, in other words, began demanding meaningful outcomes from everyone in the school building. Obvious though it may seem, it’s an idea that remains sacrilegious in many U.S. schools, despite the clumsy advances of No Child Left Behind. Instead, we still fixate on inputs—such as how much money we are pouring into the system or how small our class sizes are—and wind up with little to show for it. Since the early 1970s, we’ve doubled the amount of money we spend per pupil nationwide, but our high-schoolers’ reading and math scores have barely budged.”

Problem Set

My personal opinion is to focus on a capability and maturity model (CMM) of security and making regulatory compliance a natural side effect rather than an end goal. Sounds academic; so where’s the beef?

The practical implementation of this is shown in the recent Verizon PCI Compliance Report wherein it showed that organizations fail at tasks that: require human intervention or reoccurring activity. Many organizations that focus on compliance as an end-goal, fail to validate or maintain security throughout the year. No shocker there, but how do we overcome the human side of security? Security professionals have been talking about addressing the end-user for a long time, but these are not end-user problems they are security-professional problems.

Can we just throw more money at the problem? Reduce the scope of compliance? Train our security staff? Well, studies of the U.S. education system show these methods to be ineffective since they do not encourage well funded security professionals to do things like review audit logs on a daily basis. Even the most automated of systems are often times ignored for a variety of reasons.

Conclusion

Excellence within an organization is not achieved by measuring the compliance of an organization but by measuring the compliance of individuals and employees.

Building maturity models for information security implies an ever increasing maturity and level of security. This helps break the proverbial “glass ceiling” of compliance by having the security of an organization grow in proportion to the ever evolving attack landscape. This is so much easier said than done.

Our ability to achieve this goal hinges on our ability to encourage individual participation. Encouraging individual security-professionals to take action towards this goal.

So how useful is regulatory compliance? I advocate that compliance is good, but only in measuring the security of an organization at a point in time.  We need something much more than this to achieve real security.  We need something that will encourage validation and maintenance of security.

Final <rant>

Better security will not come from automation (DLP, audit log aggregation, etc.)  Better security will not come from more intelligent tools.  Better security will come from a higher standard within organizations to focus on maintaining security.  This leads to a discussion of cross-training security-professionals on conversational business-speak and helping them build measurable, results-driven risk models… but that is for another day.

There are so many freaking awesome people. I try not to repeat people from year to year, and even then there are so many options. Long time friends and people I’m yet to meet. There should probably be a top 100 list!

My opinions are obviously biased by my network, projects, and perspective.  I encourage you to make your own list as well.  As always, feel free to disagree or add your own using the comments.

10. Michelle Schafer, MC Petermann, Katherine Nellums (our PR/Marketing trio)

Who would care about information security if it wasn’t widely distributed? These three women are the trio that connect with people, engage the conversation and raise the level of intrigue around the spurious conversations we create.  I know when they are in town a posse of infosec people are close-by conversing about the next big thing.

09. Genevieve “Banasidhe” Southwick

When you think of security, don’t forget the physical side.  Banasidhe is part time bouncer, part time physical security / facilities manager, and former Vinyl Vanna.  She ran security for most every major Security B-Sides event, and is the bouncer you don’t want to cross paths with – unless you’re an invited VIP.

08. Leigh Honeywell

Leigh is co-founder of HackLab.TO, a hacker community space with many events on hardware hacking.  She’s a mainstay at most security conferences and many times on stage discussing malware, hardware hacking, or women in infosec.

07. Chris Nickerson

Chris is co-organizer of Security B-Sides, former cast of Tiger Team TV, and all around good guy.  He throws massive parties in Las Vegas (BSidesLV), flies around the world to present at conferences, and maintains the international-man-of-mystery persona.  His opinionated, straight-talk is often grounded in experience both on the digital and physical side of the house.

06. Alexander Sotirov

Sotirov is a founder and organizer of the Pwnie awards and was on the program committee of the 2008 Workshop On Offensive Technologies (WOOT ’08) as well as Hackito Ergo Sum 2011.  In his spare time he bypasses memory protection and creates rogue certificate authority certificates.

05. Bill Brenner

Bill has been covering the information security industry and documenting its past, present, and future for over [classified-redacted] years.  He knows and writes about those who need to be known, and covers stories ranging from the technical to the social, but always staying on or ahead of the next big thing.  His openness about himself is one of the many reasons people open up to him to share their stories.

04. Gordon “Fyodor” Lyon

Gordon is an infosec luminary having written NMAP, a tool that many claim is the reason they got into the industry in the first place.  He’s incredibly open and willing to talk to anyone. He is one of the few computer geeks who is sharply dressed at all times.  If you don’t know him you are missing out.

03. Allison Miller

Think you know fraud? Think again! Ally is a key player on the front lines of preventing fraud.  She presents on risk/fraud across several continents.  Her work includes detecting automated crime malware, running her own band, and mentoring others in their career and passions.

02. Jennifer Granick

Although she recently moved to another firm, her work for the EFF has protected the digital rights of hackers and citizens alike.  I can’t say enough about the work that her and others at the EFF have done to prevent the abuse of our legal rights.

01. Andrew Hay

As they say in Hitchhiker’s Guide to the Galaxy, “Vell, Andrew’s just zis guy, you know?”  The Zaphod Beeblebrox reincarnated, Andrew made “D” the new “A” when it comes to “A-Listers”.  He brings humor and levity to every event.  He co-organized BSidesOntario2010.  He probably even got 4chan to rig this contest so he topped the list.  He’s so good, we still can’t count the hanging chads.

I really like it when vendors engage the audience instead of just tweeting their own marketing news briefs or re-tweeting other people’s content.  Engaging in actual conversations with actual people somehow breaches the corporate veil and makes large companies more … human.  There are a few companies that have done this well, such as @TripwireInc with their #PCIHugItOut series.  They leveraged the diplomatic skills of @RealGeneKim and the arbitration skills of @McKeay to bring together @JoshCorman and me, with the goal of finding specific solutions to an issue that impacts most every company on earth.  @CindyV and @MattHixson were the people behind the veil making everything happen, but it felt very organic and most of all, constructive.

Recently, @McAfeeBusiness reached out to me about organizing another kind of engaging conversation.  The idea was to harness those flame-wars and schedule them so people who wanted to participate could.  Thus was born #SecChat.  The first #SecChat topic was Personal Health Information (PHI) and garnered more conversation than I honestly expected for a new hash-tag event like this.  (The concept is not new, there is also #PrivChat, #FTCpriv, and others, but this was the first – to the best of my knowledge – focusing on security issues.)

The chat itself was interesting, but the behind the scenes was even more interesting.  Katherine Nellums (@knellums) and Haley Hebert (@haleyhebert), two of the active voices behind @McAfeeBusiness, reached out to me to discuss who would be good people to offline-invite to participate.  We ran through the usual suspects, analysts, and vocal voices, but also added to the list a few people you may not know that have much to say about the industry.

• Pete Hillier (@DeathwishDuck) presented on “So my Doctor has an EMR; should I worry?” at BSidesOttawa and had some interesting points to make.
• Nick Lewis (@lewisnic), an old friend of mine and former Information Security Manager at a hospital.  He had direct experience implementing security for health care institutions.

One person I wish had participated was Wes Rishel (@wrishel), the Gartner analyst who has been discussing Electronic Health Records for quite some time.

The conversation is sometimes referred to as – “E-consonant-R” – due to the format of “Electronic _____ Records” (Medical, Health, etc.)

My overall take is to not directly try to solve the problem of health care data security but to compare the approach to that of other data types.  My first concern is that people should understand the use cases for data before they espouse ways of protecting it.

Use Cases

Unlike payment-card data that has very limited uses (authorization, clearing/settlement, chargebacks, reoccurring transactions, etc), personal health information (PHI) has a plethora of use cases with a list a mile-long of individuals that need access to it.  At a basic level, PHI data requires the following features:

• Static: Unlike payment-card data which should only be needed for one-time use, PHI data by necessity must remain in place for reference at multiple points during the treatment and after-care of a patient.  I’d like to know that each visit to a hospital the doctor would not start from square one. Instead, I want them to easily references my medial history.  This requires health information to exist in a static environment, thus increasing the risk potential.
• Multi-access: The more people who require access to data, the harder it is to protect.  With medical data the hospital may need access, so does the doctor on call, but also emergency access is required from the Emergency Room.  The use case rules for medical data are so complex, because unlike other data, a failure of access to PHI may mean people die.  This emphasis on data access over data security puts a strain on those who try to wrap their arms around the problem set.
• Mashable: Sites like Google Health, Microsoft HealthVault, and other Health Information Exchanges (HIE) enable individuals to aggregate, mix, and mashup their various health records.  This could mean big money for the HIE provider in ad revenue, but who owns this new aggregate data? It is certainly of value to insurance companies, who are already joining social networks like twitter. Hopefully these organizations are following HiTECH security requirements.
• Error Correction: Nick pointed out a valuable point that, “Correcting medical history errors everywhere PHI is stored is harder than fixing issues with CC statements.” True, in that it’s relatively simple to replace a compromised credit card number but virtually impossible to reinstate the security of compromised medical records.

Overall, I like the idea of #SecChat and enjoyed the long-tail conversation.  Although I focused on the comments of core participants, there were others who would suggest a new take on the topic, or suggest their personal experience which I really appreciated.  It’s like having a personal conversation with close friends that enables bi-directional communication and input from thousands of others.

I like it and look forward to many more.

Executive Summary

Don’t panic! This too shall pass. (It’s true.)

Timelines

Since v2.0 was released October 28, 2010, the big question is when do I have to start using it and how long as I used v1.2.1?

• PCI v1.2.1: Can be used through the end of 2011. Organizations that are working under v1.2.1 must submit final reports no later than December 31, 2011.
• PCI v2.0: Reports using v2.0 will not be accepted prior to January 1, 2011. Any assessment started after January 1, 2011 should begin to use v2.0.  Any assessment started after December 31, 2011 is required to use v2.0.

Changes Summary

The PCI Council moved from a two (2) year to a three (3) year standards cycle meaning the standards will stay static until 2013.  Tastes great vs Less filling?  People will say this is bad because it does not change, but as Bob Russo stated [26:30] in his podcast with Martin McKeay, “as the landscape changes there is an errata process that involved in the standards. So ee have the ability to issue errata anytime we need to, and if there is something that affects the standard and we have to address it immediately we are able to do that.” In addition, there are the various Special Interest Groups (SIGs) creating content and clarification in areas such as: scoping, encryption, tokenization, virtualization, Chip and PIN, wireless, etc.

The actual changes to the standards were more evolutionary than revolutionary.  This means they were clarifications and consolidations rather than major changes.

The #1 change to impact the industry is not the release of v2.0 of the standard, but release of the PCI Scoping Guidance documentation (still to be released) from the PCI SSC Special Interest Group (SIG) on Scoping. (Full disclosure, I participate on the Scoping SIG.) The scoping SIG is lead by Gene Kim, founder of Tripwire, and include participation from QSAs and merchants alike.  This guidance documentation has the potential to clarify the way we look at the application of every control.  I believe it will bring standardization to the scope of assessments.

Check out Gene Kim’s presentation: 2010 07 BSidesLV Mobilizing The PCI Resistance 1c

For details on changes to the standard, ‘I recommend reading the following two summaries:

• Qualys tech has a nice writeup of the key changes
• Davi Ottenheimer has a good writeup on the Flying Penguin

The key changes I want to highlight:

• Virtualization: Yes, PCI DSS Requirement 2.2.1 is updated to use the word “virtualization” and it’s included in the overall scoping documentation as well.  I’ll defer to Chris Hoff’s writeup for details. Remember that compliance standards should be “technology agnostic”, as such any new technology can [theoretically] be used to comply with the standards as long as they are properly secured.
• Risk Management: The emphasis for risk management increases.  It started with PCI DSS Requirement 12.1.2 which notes an “annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment.”  Now, PCI DSS 6.2 expands this to risk ranking vulnerabilities with, “establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities.”  Though this is a recommendation until June 30, 2012 when it becomes mandatory, I don’t understand why anyone would NOT want to take a risk based approach.
• Secure SDLC: The PCI DSS Requirement 6.5, formerly applicable only to “web applications”, now applies to all developed applications.  It is no longer tied to OWASP but now recommends best practices such as the OWASP Guide, SANS CWE Top 25, CERT Secure Coding, etc.

I’ve been deeply involved in the creation and maintenance of the PCI standards and framework since their initial inception.  Not only did I perform one of the first CISP assessments, I also wrote the framework for what is now the PA-DSS and performed the first PABP assessment ever.

I’ve been more than an implementer.

For a few years I trained all Qualified Security Assessors (QSAs) globally, and trained thousands of merchants, processors, and acquirers globally.  This experience taught me more than I could ever have hoped for because it instilled in me a deep understanding of the complexities within what we commonly refer to as the payment card industry (PCI).

Payments are complex, organic, and sometimes legacy systems that are complex enough in the US when you consider the various acceptance channels, networks for credit vs debit, payment channels, issuers/acquirers, payment gateways, point of sale software, third-party processors, and millions of merchants that vary in size from 5 transactions per year to 500 million.

Now take that and multiply it by a few hundred since each country has their own nuance issues.  These include everything from a single-acquirer model in Central and South America to the multi-acquirer models in Spain, Italy, and other European countries.  In S. Korea you use your banking information, not your payment card for e-commerce transactions.  In Brazil many merchants have a different payment terminal for each type of payment card they accept.  It’s not nearly as simple as we would like to imagine.

Bottom line: the industry is complex and any hack can find a loophole where a single standard may not apply to everything.  It is important therefore to move beyond the literal wording and see the intent behind the PCI standards.

Tradeoffs

No matter how smart you think you are, there is no simple solution.   It’s all a matter of tradeoffs, and my goal is to help you understand what some of those tradeoffs are.  Let’s look at a few examples:

1. Scope Reduction
   • You can deploy a Magtec encrypted card reader to encrypt all card present transactions in a tamper resistant security module (TRSM) hardware device so the data is not decrypted until it reaches your payment processor.  This could remove your card present transactions from the scope of PCI.
   • You can leverage Akamai Edge Tokenization to prevent payment card data from ever hitting your e-commerce environment.  This could remove your card-not-present transactions from the scope of PCI.
   • Perfect, right? It’s all about tradeoffs.  You remove the need for PCI compliance and simultaneously remove the ability to use that data for other business processes.  Securing data is always a matter of tradeoffs.  I call this Newton’s Second Law of Data Security. For every action there is an equal and opposite business reaction.
2. Data Breach vs Fraud Costs
   • One of the things that boggles my mind is that cardholders end up placing blame on their card issuing bank when they experience fraudulent activity on their payment card.  It wasn’t the bank that exposed your data in a data breach.  Instead it was more likely a merchant on the other side of the payment landscape that was breached and now it’s your bank who is absorbing the costs.  This is the digital equivalent of your neighbor’s house getting broken into and you paying for all the damage.  No matter how secure you make your house they continue to leave their house insecure and you continue to pay for damages. WTF?
   • The PCI standards were meant for the merchant acquiring side of the payment landscape to encourage these merchants to secure their house and thus reduce the amount of fraud occurring in the system.
   • In the United States we have mandatory data breach laws which mean the compromised merchant is required to notify the cardholder that a breach has occurred.  While some merchants may choose to ignore this, others simply cannot notify.  E-commerce merchants may have your name, address, and phone number but card-present merchants may only have your card number and no real way to notify you in the event of a data breach.  Individual state laws permit the merchant to make a local or national announcement but who is to know if you will ever hear about it?  Now, one person does have your name and address — the Issuing Bank — but they cannot disclose information related to a data breach due to non disclosure agreements they have in place.  I’d like to see a world in which compromised merchants either notify me or permit the issuing bank to notify me on their behalf.  Which brings me to my next two laws:
     • Mike’s Data Breach Rule: “They who expose my data should be the one to notify me.”
     • Mike’s Data Breach Corollary: “If they who expose my data cannot notify me, they should permit another org to do so on their behalf.”
3. Magnetic Stripe vs Chip and PIN
   • For decades people have been proposing complex technologies that could “solve” the fraud problem within the PCI industry — most of them including some form of one-time-use payment card number.  I roll my eyes and remind the reader to re-read the complexity section above.  Sure, we can issue everyone a one-time use card number but this necessitates all transactions be on-line.  Suddenly we begin to see the problem with tradeoffs wherein you cannot make purchases in airplanes, or even in retail stores that go offline.  It is the desire of the merchant community to maintain support for multiple payment methods and options because nobody wants to be told they cannot accept a payment.
   • Still others cry mutiny at the banks that they claim are forcing a legacy technology on the merchant community called the “magnetic stripe.”  Again, not true.  Remember that the cost of upgrading all payment terminals in the US to support Chip and PIN is not a cost to be borne by the issuing banks who give you the card but by the acquiring banks and every small merchant in America.  Think this would be easy?  Consider for a moment that just the payment card system for a gas (petrol) station can cost upwards of $75,000 per pump!  That does not include the back-end software required to manage the pumps and transactions.  Now consider that every merchant of every type and complexity needs to upgrade their systems.  Oh, it will happen, but it’s not the banks forcing legacy card technologies; the reason we have not moved to Chip and PIN faster is due to resistance from the merchant community.
   • Read more details here: The Real Deal on Chip and PIN (EMV) in the US.

What Makes You So Special?

That said, even with all the complexity of the various payment types and globalized networks — the variances in how data breaches occur is getting smaller and smaller.  This past week I spoke with a globe trotting PCI Forensic Investigator who told me that people always ask him, “so what fraud patterns do you see in your area of the world?” He replied with, “the same ones you see in yours and others see in theirs!”

Yes, there are variances.  As you chase the attackers out of one vector they move on to another.  Block card present, they move online.  Block online, they move upstream.  Block upstream, they move downstream.  At the end of the day, they tools are different but their target and intended goal is always the same.  So how do we defend against this ever present threat?  Scope reduction, data surrogacy, and data deprecation are some but we almost always have some data to protect, and thus a baseline for securing that data.

One thing the Verizon PCI Report taught me is that organizations focused on compliance as the only goal tend to achieve that goal and then regress immediately thereafter.  In my opinion, organizations that take a continuously improving capability and maturity model towards information security tend to regress less.  Instead of seeing compliance as a goal these organizations see compliance as a byproduct of a solid security program.

I believe in PCI compliance and the need for it (see also: regulation-deregulation cycles), but as many others have echoed — compliance is only a minimum — it is a baseline that we should continue to strive beyond.  If you feel that point-in-time compliance is the only thing you need, let me know so I can stop providing you my data to expose.

• ShmooCon :: PCI: An Existential Threat To Security As We Know It? – Joshua Corman, Michael Dahn, Anton Chuvakin, Jack Daniel (5-7 February 2010)
• BrightTALK :: Evolution of a Standard: How Compliance Regulations Get Made (25 Mar 2010)
• Information Security Magazine :: PCI update could mean clarity or confusion (Sep 2010)
• BrightTALK :: Does PCI Compliance Help or Hurt Migration to the Cloud? (9 Sept 2010)
• BrightTALK :: Changes in the Payment Card Industry: Standards & Implementation (23 Sept 2010)
• Black Hat :: Expanding Compliance into Critical Infrastructure (23 Sept 2010) [Mike Dahn and James Arlen, moderated by Jeff Moss (Dark Tangent)]

Attended but did not present:

• RSA San Francisco 2010
• I-4 San Francisco 2010
• SourceBoston 2010
• Security B-Sides San Francisco, Las Vegas, Boston 2010
• Electronic Transaction Association (ETA) 2010
• PCI SSC Community Meeting (Orlando, FL) 2010

(I’ll update this later in the year as things progress.  There are a few other events that aren’t open to the public but I’ll try to list/blog/share the presentations regardless.)

Problem Statement

Too many times I’ve heard analysts, and those wanting to make a name for themselves, coming up with phrases such as “wield the power or yield the power” without any real solution for change.  These empty slogans rally the uninformed with their easy to relate to sound, yet fall on dead ears of those who understand that complex situations cannot be solved with catch phrases.  At best empty slogans fall by the wayside, and at worst they deter progress by keeping people in the dark about the true complexities of problems, enabling the problem to persist and even exacerbate itself like a cancer.

I don’t have a problem with slogans that come with backing, but empty statements have no place in bringing about positive change.  My current frustration is with the slogan, “Rugged Software“.  Is it slogan or a challenge? Will it be effective or is it a hollow statement?  My position is that any effective call-to-action slogan must carry with it some meaning and, even better, a toolbox of item with which to execute it. This slogan has neither.

History of Slogans

1. “Don’t Mess With Texas”

Probably the most well known slogan, though few know its intended purpose, is “Don’t Mess With Texas“.  This slogan has little to do with Texas individualism but with trash or should I say litter.  That’s right, in 1985 the Texas Department of Transportation (TxDOT) used this slogan – after many failed slogans – to reduce the amount of litter on Texas roadways.

The National Corporative Highway Research Program (NCHRP)’s Reducing Litter on Roadsides mentions “the campaign reduced the amount of visible litter on Texas highways by 72% in 6 years (Texas Department of Transportation 2008). The DOT asserts that the success is the result of, at least in part, the use of athletics and musicians who are admired by the the target audience.”  After millions of dollars and a plethora of celebrity endorsements middle-aged males were finally encouraged to reduce the amount of litter they threw out the window or onto the ground.

So why was this slogan so successful?  Earlier slogans of “Don’t be a Butt!” failed to launch even though they targeted the same audience of 18-35 year old males that were most at risk for littering.  Remember that even back in 1985 we knew the leading cause of litter was cigarette butts.  In a 2005 Visible Litter Study of Texas it showed that:

• Over the course of 2009, approximately 1.1 billion pieces of litter accumulated on our highways; while this represents a 33% increase over 2005, it marks an 11% decrease relative to 2001.
• Why the increase in litter since 2005? Cigarette butts! Tobacco trash – including nearly 400 million cigarette butts – comprised 43% of all litter on our roads.
• The Texas Dept. of State Heath Services estimates 18% of all Texans smoke, and six in 10 smokers admit they litter. What does that mean? It means that just 11% of Texans are responsible for 43% of all our litter!

Apparently not only does smoking kill, it also accounts for the greatest form of litter in Texas from 1985 to 2009.  In fact, “According to the VLS, the amount of litter in nearly every category has increased since 2005 — tobacco, cups and cans (non-alcoholic), construction items, household and personal, and automotive debris.”

Has the program been effective?  Well picking up trash along the Texas roadside has cost the state “$47 million in 2009 … up from $38.7 million in 1986″.  This increase is costs is prevalent even though studies show a nationwide decrease (by 50%) in smoking from 1965 – 2007.  The smoking rates for Texans was 18.6% in 2008, almost on par with the national average.

2. “Take a Bite Out of Crime”

On July 1, 2010, McGruff the Crime Dog turned 30 years old with his famous slogan “Take a Bite Out of Crime” created for the National Crime Prevention Council. The goal was to reduce the levels of crime in 1980 which had reached a peak.  Now “crime” is a relative statement but is most often measured by a combination of violent crime and property crime.  There are other categories such as drug and cybercrime but for the sake of continuity of numbers we will account for just violent and property crime, the prime targets of the slogan.

According to the US Department of Justice, Bureau of Justice Statistics (BJS) figures, ”the crime rate had risen sharply in the late 1960s and early 1970s, bringing it to a constant all-time high during much of the 1980s, it has declined steeply since 1993.”

Though the anti-crime slogan was adopted in 1980, crime continued to rise for another decade.  In fact, if you review the BJS figures along with the FBI crime figures you will notice a pattern outlined in the graphic above.  Both show a rise in violent and property crime from 1960 to a peak in about 1991-92.  This means the slogan either took 11-12 years to really take hold, or there’s another explanation for the decline in crime from 1993 to 2003.  (Some people suggest it was the introduction of the Three Strikes Law first passed by Washington state in 1993.  This turned out to be statistically incorrect after a 10 year study proved no correlation between such state laws and the reduction in crime.)

Instead, could it be the economic rise that lasted from 1993 – 2007?  If we measure the Dow Jones Industrial Average (DJIA) from 1993 at 3,500 to its height in 2007 14,000 one can easily understand why the violent crime rate followed an inverse pattern.  (Sure there was a DJIA dip in 2002 but it rebounded in only a few short years.  Crime shows a leveling off in those years but still a decline across the board.)

3. “Click It or Ticket”

One of my favorite examples of a slogan is “Click It or Ticket“, a National Highway Traffic Safety Administration campaign to increase the usage of seat belts in the US.  The slogan campaign specifically targeted young adults due to their low usage of seat/safety belts.  According to the Social Marketing Institute that closely monitored this program, we understand the following items.

Before 1980, usage of seat belts in the United States lingered around 11% despite volunteer and educational campaigns at local, county, and state levels. Between 1980 and 1984, individual organizations, public education programs, incentives and policy changes strove to increase the use of seat belts. However, these efforts failed to significantly affect usage in large, metropolitan areas, and in by the end of the effort, national seat belt usage had reached only 15%.

In 1984, New York became the first state to enact a mandatory seat belt use law, and by 1990 37 other states had followed suit. The vast majority of these laws were “secondary safety belt laws”, meaning that an officer had to observe another traffic violation before issuing a citation for a seat belt infraction. Despite this, the national usage rate climbed from 15% to 50%.

An extensive evaluation of the program showed not only when both communication and enforcement were combined in a single unified marketing strategy, the results were impressive (a 14% reduction in traffic fatalities), but when the communication was withdrawn and the enforcement left in place, seat belt use dropped dramatically. Once the communication component was restored compliance went back up.

An empty slogan alone would not have helped save lives and neither would just the law.  It was the combination of strong communication and message of call-to-action (“Click It”) plus deterrent (“or Ticket!”) that made this slogan an effective winner.

Analysis

Each of the above three slogans teaches us some important messages about about communication.

1. “Don’t Mess with Texas” sounds to me like an empty statement and has little backing behind it.  Though it was effective for a short while, and though a high percentage of Texans associate it with anti-littering, the rate of such problems only slowed at best.  It is hard to say if the slogan was effective since the volume and cost of cleaning up litter both increased.  Perhaps the slogan slowed the activity but it had nowhere near the effectiveness as the seat belt slogan.
2. “Take a Bite Out of Crime” sounds a bit more direct.  It mentions the call-t0-action and the direct object it wishes to affect.  It is debatable and perhaps unlikely that this slogan had a noticeable impact on crime due to the increase after its inception.  The eventual decrease in crime over a decade later can easily be explained in the increased economic jumpstart that rose the level of affluence across the board. (The 1980s were one of the worst economic recessions since the Great Depression in the 1940s.)
3. “Click It or Ticket!” is just a great slogan since it combines call-to-action with deterrent and in this case an actual law.  Police in many states can now pull people over just for violation of this law instead of previously requiring another, more serious, reason.  The statistics show clearly how a good slogan combined with enforcement can be a powerful duo in affecting change.

Conclusion

How does one measure a slogan, and how does “Rugged Software” measure up?  Do you inherently understand the call-to-action? Is there a deterrent? Is the slogan celebrity endorsed and targeting the proper groups with the right incentives?  Only time and data will tell, but I challenge such organizations that wish to affect change to consider these criteria.

Moreover, I think a good slogan should also be backed by a solid set of tools, resources, guides, and such that lower the barrier to entry for people to participate.  In the case of litter due to cigarette butts, we can encourage the use of additional ashtrays in cars.  In the case of software, we should provide a series of guides, e-learning, checklists and such that provide guidance on how to secure applications based on both the functional use of the application and the language in which it is developed.

Update: I have received more cuss word feedback on this blog post than I have on anything else I have ever written; so let me clarify end explain the goals of my position.

I actually like the “Rugged” software movement as a method of raising awareness. I didn’t give it enough praise for starting a movement, but that is all it is, a start. Rugged is an infrastructure that in order to be remembered as an effective movement need a nervous system and muscular system.

Just like “Click It or Ticket” we need to pair the positive awareness with tools, checklists, and even enforcement of some sort (be that regulatory, legal or other).  I don’t want the success of Rugged to make people complacent or feel that a manifesto alone is an effective strategy.

(If you’d like to hear about this and other PCI related issues then register for the BrightTALK PCI Compliance Summit on March 25, 2010.)

There are so many debates about the pros and cons of regulatory compliance but they all focus on the individual and not the population as a whole.  In fact, the best way to model and examine the evolution of regulation and deregulation is through the eye of the scientist examining the entire population of players.

Background:

Let’s take a look at the history of regulation and deregulation.  The following are a few industries that have experienced both regulation and deregulation over the years, but the list may as well also include industries such as agriculture, telephone, communications (radio, TV, cable), medical and pharmacy.

• Airline
  –Civil Aeronautics Board (1937)
  –Airline Deregulation Act (1978)
• Railway
  –Interstate Commerce Commission (1887)
  –Railroad Revitalization and Regulatory Reform Act (1976) / Staggers Rail Act (1980)
• Trucking
  –Motor Carrier Act (1935)
  –Motor Carrier Regulatory Reform and Modernization Act (1980)
• Energy
  –OPEC price hikes (1973)
  –Emergency Natural Gas Act (1977)

Each of these industries experienced a need for regulation and eventual deregulation in order to keep in check the potential for large problems that could impact large numbers of people (e.g. monopoly, poor conditions, unbound risk, lack of consumer protection).  In 1935 Congress passed the Motor Carrier Act that gave the Interstate Commerce Commission (ICC) authority to regulate trucking involved in interstate commerce.  When the confines of this regulation outlived it usefulness the tides turned.  From 1971 until the eventual passage in 1980 politicians worked to remove barriers to entry into this industry and finally passed the Motor Carrier Regulatory Reform and Modernization Act.  This migratory pattern of regulation and deregulation occurs regularly in many industries.

Pattern of Data Loss

It is no surprise to anyone that there is a building momentum of data loss.  We can gather individual statistics from the news or get detailed statistics from DataLossDB.org.  Either way we notice a pattern of attacks and rising numbers of data breaches that make us ask, is the situation getting better or worse?  Is what we are doing having the desired effect?

It’s very difficult to answer that question since the problem is multi-factorial, but there are signs that things are getting better.  As fraud shifts from one industry to another and one method to another we are slowly driving it from the system.  (This type of analysis does not as easily apply to authentication/identity fraud, but may very well when it comes to system infiltration and data exfiltration techniques.)  For example, we see attack vectors moving from one method to another and from one geographic region to another.  Attackers originally stole data from flat files but when those were encrypted the attackers began capturing data as it traversed the network.  When this was encrypted they began installing custom malware to capture data in memory.  Slowly the system are moving from system protection, to network, to software, and finally hardware protection.

As protection system such as Chip-PIN were implemented across Europe and Asia we saw a drop in card present fraud as the attackers moved to online and e-commerce fraud (via UKPA or APACS).  The attackers adapted to the system and moved on to other low hanging fruit.

History of Regulatory Time

I can’t really do justice to replicating the work of David Lineman, of  Information Shield, so I’ll simply reference his paper “A History of Regulatory Time” and reference his graph showing a timeline of security privacy-related regulations.  Take a look and map the regulations below against the major data breaches of recent and we begin to notice the correlation of regulation in reaction to the rise in tide of data breaches.

Inflection Points and Traffic Jams

Simply analyzing data breaches and their respective reactionary regulation doesn’t paint a precise picture of how the regulations are formed, only that they are somehow correlated.  To understand this we need to first understand a little about math.  Inflection points are the change in slope from an increasing value to a decreasing value or vice versa.  In terms of data breaches we can consider if the number of data breaches, though currently increasing, has a slope that is increasing or decreasing.

Andy Grove, founder of Intel, said in his book Only the Paranoid Survive that “An inflection point occurs where the old strategic picture dissolves and gives way to the new.”  We need to focus on this inflection point in order to understand and if the increasing numbers reflect a state of growth or decline in a system, which we are (unfortunately) only able to measure over time.

In fact, this concept is familiar to physicists in the term “hysteresis“.

For example, consider a thermostat that controls a furnace. The furnace is either off or on, with nothing in between. The thermostat is a system; the input is the temperature, and the output is the furnace state. If one wishes to maintain a temperature of 20 °C, then one might set the thermostat to turn the furnace on when the temperature drops below 18 °C, and turn it off when the temperature exceeds 22 °C. This thermostat has hysteresis. If the temperature is 21 °C, then it is not possible to predict whether the furnace is on or off without knowing the history of the temperature.

The question we always ask is “Where are we on the Sine Wave of Pain?“  Is the rate of negative events increasing or decreasing?  The only way to know is gather and map data as well as measure trending patterns in the industry and make calculated estimates as to which it is.

One thing for sure is that the population not the individual is what drives regulation and as such it is the population that examined the rising data loss numbers and determines when they want change.  It is this demand for change that ultimately initializes the regulation engine to affect what the individual cannot directly.

Traffic Patterns and Modeling

Still, all we have shown at this point is that a culmination of actions can result in change brought upon by the populous.   How that change is enacted is an area of great interest and one that draws from, of all things, traffic patterns.  Before getting into that I’d like to reflect on different types of phase shifts seen both in nature and fiction.  We are all familiar with the concept of ice melting into water which freezes into ice.  It was Kurt Vonnegut who in his book Cat’s Cradle first proposed the fictional concept of Ice-Nine.  This was said to be a polymorph of water that freezes at 45.8 °C (114.4 °F) instead of 0 °C (32 °F).  The idea being that ice could maintain its ice form even at room temperature which is around 20 °C  (68 °F) to 25 °C (77 °F).  In the book, it would take only a single fragment of “ice-nine” to come in contact with the ocean and they would all instantly freeze.  This shows how a seemingly stable system can react suddenly when given the proper catalyst.

A common method of modeling traffic patterns is the Nagel-Schreckenberg (NaSch) model.  (For more detailed information on this model I recommend reading Traffic Simulation using Agent-Based Modelling by Andrew Lansdowne.)  The diagram to the right shows this model in that the traffic flow (y-axis) is measured against the traffic density (x-axis).  You can see that as the traffic density increases the traffic flow increases.  This continues until point “A” where we reach the critical density.  This is the density at which a chance can occur but not at which it must occur.  If everyone continues driving along at the same rate the density can increase until a critical event occurs that breaks down the system.  An example could be one person applying the breaks which then causes the person behind them to do the same, and on and on.  Point “B” is the moment at which the critical event occurs.  At this point we see the traffic flow decrease representing the slowing of traffic until the density is so high it stops (point “D”).

One interesting feature of this series of events is that the traffic flow pattern will always exist in a cycle moving from point A to B, to D and back to A in that order.  Traffic will never go from D to B because doing so requires it to first traverse A.  Remember that term hysteresis?  In the book Critical Mass by Philip Ball he states, “A state of traffic depends not only on its density but on its history – on whether it was previously denser or less dense.  As the traffic rate rises and then falls, the flow rate follows a loop.”

We can examine the graphical flow of data in another form by mapping space on the road (x-axis) against time (y-axis).  As you can see in the second diagram, we map the position of each vehicle over time.  Until the density decreases the traffic jam will continue.  Here the traffic jam is visible in the very dense points as a diagonal across the diagram.  Once the density decreases we once again see a greater flow of traffic.

What’s the Solution?

As you can see, modeling traffic patterns can be very similar to the regulation and deregulation of an industry.  So what is the solution to an increase in incidents that push us past the critical density?  Contrary to initial though the solution to high traffic is not to simply build more roads.  In fact, Richard Moe, Head of the US National Trust for Historic Preservation, once said “building more roads to ease traffic is like trying to cure obesity by loosening the belt”.  Simply applying ‘more’ security does not mean you achieve ‘better’ security.

I propose the following approaches:

• Help prevent data sprawl :: Security is required where data is maintained.  Does your environment reflect the “data, data, anywhere” or “data, data, everywhere” philosophy?  Do you know where all your data is? Does it exist in more locations than is necessary?  Check these items and set measurable actions to correct it.
• Examine use cases :: While medical record data requires persistence, payment card data is only used once and then not ever again.  The use cases are simple enabling a flexible set of measures to secure the data.  If your business model does require retention of data then examine what data you are retaining and make sure it’s as benign as possible.
• Brute force is effective but costly, while the elegant solution is simple and secure :: Have you ever considered replacing the data you retain with a reference number instead?  I recommend you read up on technologies such as point-to-point encryption and tokenization.
• Solve tomorrows problems with today’s technology :: Problems are not hard if you know which ones to solve.  I recommend absorbing and comparing as many of the data breach reports (more) you can to determine what emerging attack patterns exist in your industry and how to prevent them.  If you are only able to implement one set of technology each 10+ years then make sure it solves tomorrows problems and not yesterdays.
• Plugging one hole doesn’t save the levee :: Reducing card present fraud drives attackers to e-commerce.  Reducing fraud in one country drives them to others.  Only a holistic solution will work on such interconnected systems.  This is one of the arguments for industry regulation.

3 Habits of Highly Effective Regulation

In the end there are three attributes, or habits, that make regulation effective in achieving adoption and acceptance.

1. Education, education, education :: This is the single most effective method of driving adoption.  People want to know how to interpret, implement, and adopt the regulation to their business model.  I’ve seen more people fail to start because they didn’t know where to start than anything else.  People want to know if they can use a $0.10 piece of duct tape or if they need to replace the entire engine of the car.
2. Flexibility of controls :: This is an attribute of so many regulations due to the fact that they apply to such a range of companies, industries, size of organizations and the like.  Remember that 100% compliance is not the goal when system failures occur in groups.  The PCI DSS has what’s called “compensating controls.”  The EU Data Protection Directive has the “comply or explain” concept.  Even the ISO 27000 series do not mandate 100% adherence to each and every control.
3. More data for Risk Modeling :: Let’s consider this without getting into a debate over Frequentist vs. Bayesian statistics (as I’ll leave that to Alex Hutton).  The more data we have the more closely we can make educated decisions about how to evolve the standard, protect against failure, and make deterministic decisions about how to proceed.  More data will help us understand when we have reached an inflection point and ultimately determine when the rising regulation turns toward deregulation.