Here is the link to the report:
http://www.verizonbusiness.com/resources/reports/rp_2011-payment-card-industry-compliance-report_en_xg.pdf
(In the interest for full disclosure I worked for Verizon Business from 2008-2009).
For people who have to deal with Information Security on a daily basis, the results of the report shouldn't be a surprise. PCI is a great idea but really hard to do, any by being compliant with PCI (or any standard) you are not then "secure". It should provide a baseline and a starting point for your security program, you can't just download a copy of the PCI DSS and say "this is my company's security standard".
The value that we as Information Security professionals provide is the ability to interpret business needs and security/compliance requirements into achievable configurations, standards, policies, etc. If we just try and implement something off the shelf (no matter how good it is) it won't fit, be complete, or meet the business objectives.
So take the time to become familiar with no only the security and compliance requirements of your industry or company, but also the business drivers, what are the most important pieces of data (information, PHI, PII, crown jewels, etc.) to the various aspects of the business. Work WITH the business to get them to understand your concerns (in the same way you understand theirs) and built a better environment based on progress and trust.
http://www.verizonbusiness.com/resources/reports/rp_2011-payment-card-industry-compliance-report_en_xg.pdf
(In the interest for full disclosure I worked for Verizon Business from 2008-2009).
For people who have to deal with Information Security on a daily basis, the results of the report shouldn't be a surprise. PCI is a great idea but really hard to do, any by being compliant with PCI (or any standard) you are not then "secure". It should provide a baseline and a starting point for your security program, you can't just download a copy of the PCI DSS and say "this is my company's security standard".
The value that we as Information Security professionals provide is the ability to interpret business needs and security/compliance requirements into achievable configurations, standards, policies, etc. If we just try and implement something off the shelf (no matter how good it is) it won't fit, be complete, or meet the business objectives.
So take the time to become familiar with no only the security and compliance requirements of your industry or company, but also the business drivers, what are the most important pieces of data (information, PHI, PII, crown jewels, etc.) to the various aspects of the business. Work WITH the business to get them to understand your concerns (in the same way you understand theirs) and built a better environment based on progress and trust.
Comments