June 6, 2016
Every year there’s a fire drill within companies to complete their Payment Card Industry Data Security Standard (PCI DSS) audit. That’s in addition to the quarterly chaos necessary to complete the vulnerability scans that are also a part of the PCI DSS requirements. The reason behind the scramble is two-fold. First, companies are still in the archaic mode of manually compiling cyber risk data—including compliance data—into piles of spreadsheets that are then stitched together in an effort to show that the company has met all its requirements. Second, some companies do not practice continuous compliance, only worrying about it when the time comes to “check the box,” which creates a last minute rush to gather that manually generated data.
Large companies have tens or even hundreds of legacy systems—some of which store the company’s most valuable information—that are in scope for PCI DSS compliance. The systems are owned by different technology, line-of-business and application owners, each with their own administrators and experts. Enterprise security is responsible for coordinating with all of these parties to conduct vulnerability scans, penetration testing and validation and many other things required by the PCI DSS. The effort is complicated by application owners who “ give the Heisman ” to the security department, and do not allow testing and patching to be conducted regularly, because they are concerned that it will impact their application’s availability. The underlying tracking of this process is often maintained in a governance, risk management and compliance system, but just as often ends up in a dizzying array of emails and spreadsheets being exchanged right up to the deadline for reporting.
In the best case scenario, the exchange goes something like this: [hide for=”!logged”]The vulnerability manager requests a time window from the application owner for vulnerability scanning and penetration testing. The application owner provides a time slot for the vulnerability manager to schedule scanning and testing. The scanning and penetration testing teams do what they need to do and provide results to the vulnerability manager. The vulnerability manager sends an email to the application owner and technical administrator regarding patches or updates that are required. Emails about the scheduling of fixes go back and forth, fixes are implemented and the vulnerability manager is notified. The vulnerability manager requests a time window from the application owner for vulnerability scanning and penetration testing…wash, rinse and repeat until the tests are clean. The above scenario is the best case. More typically, there are bumps, rescheduling and system issues along the way that complicate the process further, and there are hundreds of applications, firewalls, routers, databases and systems that need to be tested and sometimes retested until the compliance requirements are met.
Based on recent discussions we’ve had with security leaders, we estimate that security managers can spend anywhere from 25 to 40 percent of their time running manual reports. Some companies cannot even complete the quarterly scanning process on time so they use outdated information to fill in the gaps.
The process is so time intensive that the effort to “check the box” for compliance takes precedence over continuously protecting the company’s valuable assets. Companies end up compliant but not secure. There are well known examples of significant breaches that occurred shortly after passing a PCI DSS audit. Some companies structure their entire cyber security program around the annual audits and quarterly scans. For example, they will only scan for and patch vulnerabilities in line with their audits, so that no issues arise that will potentially show up as a negative finding.
Companies need to focus on security based on risk. If done correctly, compliance will come along for the ride. If a continuous compliance mode of security is practiced, focusing on identifying threats and remediating associated vulnerabilities on an ongoing basis, prioritized by asset value and risk, then compliance really does becomes a simple check-the-box task. That means identifying where a company’s most valuable assets live (including PCI assets) and who governs them, then providing the required information on a daily basis so application owners know what they need to do and can be held accountable for securing their environments. Enabling application owners and stakeholders with the right information on a regular basis empowers them to take action and promotes an overall culture of making security everybody’s business. When the compliance audits come around, lines of business already are involved in the cyber security process and they are not forced into action simply to comply.
Companies must also get rid of the archaic spreadsheet process and automate how they collect and analyze cyber risk information. Not only does the process waste valuable time that could be better spent on protecting the organization, it’s also error prone, allowing those who fill in the information to massage data to either paint a rosier picture than the truth or make the data look like it fits together and makes sense.
Many companies view compliance and security as a choice between putting their efforts towards something they know can shut them down (such as not passing a compliance assessment) or something with repercussions that are unknown (such as getting breached). Unfortunately, too many discount the latter dedicating the majority of their time to meeting compliance requirements that do not necessarily make them secure. If they left spreadsheet hell and focused on continuous compliance, they would no longer have to deal with last minute fire drills. Compliance would be a result of the everyday security process, making quarterly scans and annual audits as simple as pressing a button.
Steven Grossman is vice president of program management for New York City-based cyber risk analytics platform provider Bay Dynamics. [/hide]