A recent Verizon report reveals that for the first time in six years, PCI-DSS Compliance is declining. Since a correlation can be made between organizations that have been breached and those that are non-compliant, why is this? In the last 14 years there has not been a single confirmed data breach of an organization that was fully PCI-DSS compliant at the time of its data breach. Regarding the Equifax incident, the breached system was not ‘in-scope’ for PCI-DSS compliance at the time of breach. We can all at least attest to the strength of the PCI security framework. Ten years ago, there seemed to be a marked increase in PCI-DSS compliance efforts, particularly in the Financial Services sector. In 2007 I led a security maturity project for American Express that included an enterprise security certification audit, both driven by preparation for PCI-DSS Compliance. In 2009 I led an enterprise-wide corporate PCI program across 44 business units with a 29MM security infrastructure budget for a large financial services tech firm. Back then, these types of efforts seemed to be increasing rapidly and designed not only to attain and maintain PCI-DSS compliance but also to establish a mature overall security posture. However, in recent years, PCI-DSS compliance efforts are often poorly funded; lacking real political support from senior leadership and competing against other initiatives.
Because of the decline in priority given to PCI-DSS compliance, many organizations seem more interested in compensating controls, obtaining exceptions and playing games with scoping then performing a vigorous, comprehensive assessment and pursuing true remediation of findings. In addition, many companies are 'teaching to the test' – indeed, half of organizations fall out of PCI-DSS compliance within nine months of validation. And the challenge does not reflect a skills gap: in the report, Verizon specifically says that the decline in PCI-DSS compliance is not attributed to a knowledge problem or a technology failure. Companies don't need more technical know-how - they need to manage the competing initiatives, resource constraints, efficiently execute the technical strategy and ultimately manage what I like to call the intimidation factor "how do we take all of these security gaps, design technical strategies, and execute those strategies against the timeline and resource constraints without full internal political support and in light of competing priorities?”
Organizations must see PCI-DSS compliance as an important customer value and as revenue protection. Meeting with the president of international operations for a recent client, for her achieving PCI-DSS compliance factored prominently into their sales pipeline management. Speaking with the US CISO for a recent client, achieving and maintaining PCI-DSS compliance was a contractual obligation monitored closely by their largest customers, such that hundreds of millions of dollars were at stake. However, there seems to be a disconnect between the importance of PCI-DSS compliance to the business and the juggled priorities of middle management – particularly those in IT cost centers. Establishing good governance with senior business leadership representation is important if PCI-DSS is going to be taken seriously. IT leaders responsible for delivering PCI-DSS should get business leadership to sign-off on a multi-year roadmap to achieve the security targets. Also, while many IT and business leaders appreciate the amount of incremental work PCI-DSS can impose on its workforce, they fail to implement an organizational change management strategy to address the impacts to people and processes. This is important for sustainability because it directly impacts employee morale and capacity. Finally, I make an important distinction between project management and project leadership. Project managers produce acceptable results within and report out on known constraints and conditions. Project leaders drive change – they get production out of your lowest producing resources; they effectively remove constraints and barriers; they deftly navigate the internal politics of an organization to achieve outcomes.
Achieving and maintaining PCI-DSS compliance is hard on an organization – but leadership support, good governance, patience in achieving security maturity over multiple years, implementing an organizational change management strategy and identifying project leaders – not project managers – will deliver a mature and sustainable PCI-DSS posture for your organization.