-
Pretend you are a CISO asked to deliver a compelling, three-minute narrative on how your company is effectively meeting data security compliance requirements. Many CISOs would struggle to do so because there’s so much information to cover. CISOs frequently spend too much time explaining technical details and being involved in the time-consuming task of managing a multitude of security vendors. To successfully deliver that compelling narrative, you need a framework that distills a response down to the most essential components: clarity on goals, requirements (their success factors and necessary conditions) and constraints.
Too many CISOs are still stuck in approaches from 20 to 30 years ago. They are decades behind in the way they should operate, much as Rolf M. von Roessing pointed out in 2010:
Charting the best strategic method for your organization
- 2022 PSR
- Introduction
- Executive Summary
- The Compliance Landscape
- Commentary
- Charting the best strategic method for your organization
- Optimizing limited resources by strengthening the weakest link
- Goals: The security and compliance rudder
- The Security Management Canvas
- Requirements: The security and compliance hull
- Preparing for PCI DSS v4.0
- Enhanced Validation Methods and Procedures
- Continuous monitoring internal assessments and validation
- The three stages of PCI DSS compliance program failure
- PCI DSS v4.0 Navigational Points
- Constraints the Security and Compliance Shoal
- 7 Constraints of Organizational Proficiency (the 7 Cs)
- The Five Focusing Steps in Brief
- The State of Compliance
- Bottom-20 Lists
- Methodology
- Appendices
- Download the full report (PDF)
Please provide the information below to view the online Verizon Payment Security Report.
Thank you.
You will soon receive an email with a link to confirm your access, or follow the link below.
Thank you.
You may now close this message and continue to your article.
-
-
“Information security professionals continue to find themselves reacting to issues within the enterprise rather than taking a proactive stance. This constant firefighting leaves little time for innovation, strategic thinking and planning. Security professionals revert to applying controls to problems as they arise, often with an over reliance on technology. This is often accompanied by a lack of historical data, so problems continue to occur, even though they have been ‘fixed’ at some previous point.”24
-
This does not have to be the case today. CISOs and security departments can overcome constraints that are impeding success by applying the correct frameworks and overall approaches. By rethinking and reframing your approach to data security and compliance, methods, and priorities—and how you communicate them to executive teams and boards of directors—you gain control of the security direction of the organization and areas of internal operational investments.
-
-
Year after year, Qualified Security Assessors (QSAs) conducting compliance validation assessments discover that controls are not kept in place. Organizational failure to apply systems thinking to diagnose and solve reoccurring control and program performance issues is a major contributor to the problem. For some organizations, it’s a condition of “learned helplessness.” Learned helplessness is a psychological condition “in which a person has a sense of powerlessness, arising from a traumatic event or persistent failure to succeed.”25
While a PCI DSS compliance assessment could be viewed as a “traumatic event” for some (we hope not!), the definition of “persistent failure” is what’s most significant in this context.
Security teams may incorrectly perceive low sustainability of the PCI DSS control environment as an intractable problem that no efficient algorithm can solve. Solving an intractable problem hinges on two primary elements: determining the critical root cause and determining the most effective next action.
This helplessness occurs in the face of two primary criteria: when there is the perception of no clear cause of the lack of sustainable control effectiveness (the problem), and when there is no clear next action—a next logical step to address a control system that lacks effectiveness and sustainability.
-
You need a method.
-
If you’re struggling to develop your security and compliance strategy and create a strategic plan that you are confident will deliver the required objectives and goal, you may be missing an effective method.
Why is it important to create a method or proven process for designing a strategic plan? Some of the most successful, sustainable products and procedures incorporate a proven process. Dentists adhere to a series of fail-proof steps when filling teeth. Builders prepare the land and have a secure method for building a foundation before constructing a house. Why wouldn’t security professionals apply a method of control design for security systems? What many organizations lack is a logical method to deconstruct the complexity of establishing clear goals and objectives, and the capacity to achieve them. Applying logical thinking is the ability to achieve progress in incremental, clear and predictable steps.
Defining goals is the first step in dealing with a complex problem.
For a surprisingly large number of organizations across the payment card industry, it’s not immediately obvious what they need to achieve with their data security and compliance programs. For many, this will become increasingly important with PCI DSS v4.0, which is why we are introducing a cohesive method to separate the most essential from the peripheral. In short, organizations need an LTP to clearly establish their goals, requirements and constraints. Developing the capability to determine root causes and formulate solutions to factors (constraints) that negatively influence the performance and outcome of the environment is an increasingly essential and unavoidable management task in the evolving security matrix. For more detailed information on goals, requirements and constraints, see page 21.
Focusing on your goals provides mastery over the problem.
It’s common for security teams to be spread thin and feel overwhelmed—as if they’re always just treading water. Increasing staffing can be difficult and is often only part of the solution. There seems to be too little time to focus on strategy and goals.
-
"A wealth of information creates a poverty of attention!”26
—Herbert A. Simon, economist, psychologist and Nobel prize winner
-
The reality is that strategic planning, coordination and execution at an operational level have become paramount for security and compliance approaches and programs to succeed—and avert costly data breaches. We’re not talking about annual task lists outlined by executive management. We’re referring to focus: application of scarce resources on clearly prioritized activities to drive outcomes that are of strategic, long-term benefit to the organization. Security teams need to remain focused on clearly defined goals with very specific objectives and stop being busy with tasks that don’t promote sustainable control effectiveness. Of course, this is easier said than done. The reality for most security teams is the daily battle of people and departments pulling them toward distractions and chipping away at the time available to work on activities that have higher long-term value and contribute to security and compliance strategic goals.
-
"There is nothing as useless as doing efficiently that which should not be done at all.”27
—Peter F. Drucker
-
Focus often means knowing when and how to say “no” to competing activities and tasks. Achieving focus requires avoiding distractions. For many security teams, this requires a deliberate reduction in scope of what others expect them to undertake. The security team’s attention must be diversified enough to cover the broad scope of security and compliance responsibilities, yet concentrated enough to maintain consistent progress toward the achievement of objectives. It requires the development of the team’s collective decision-making skills to triage requests based on risk (impact, probability and asset value) and relevance to the accomplishment of the strategic objectives. It’s imperative to focus on core strategic data security objectives, stay alert to unwarranted distractions, categorize secondary and tertiary objectives, and prioritize activities that contribute most to the sustainable effectiveness of the control environment.
Ideally, you should have a one- to five-year plan to focus on, though many organizations benefit from strategies that map out a program over an even longer period—up to 10 years. Strategies should be revisited several times throughout the year— even monthly—to make both large and incremental improvements. For additional information on security strategy, see page 43 of the 2020 PSR.28
-
24 Rolf M. von Roessing, The Business Model for Information Security, ISACA, 2010, https://www.isaca.org.
25 “Learned helplessness,” Oxford Lexico, https://www.lexico.com/en/definition/learned_helplessness.
26 “A Wealth of Information Creates a Poverty of Attention!” influencepeople, Oct 15, 2018, https://www.influencepeople.biz/2018/10/wealth-information-creates-poverty-attention.html.
27 Peter F. Drucker, “Managing for Business Effectiveness,” Harvard Business Review, May 1963. Reproduced with permission from the Drucker 1996 Literary Works Trust.
28 2020 Payment Security Report, Verizon, 2020, https://www.verizon.com/business/resources/reports/payment-security-report/.