Christmas morning is here for the compliance management industry. The 2019 Payment Security report was just released by Verizon last week which is the de-facto industry performance report for the PCI security space.
The requirement for organizations to comply with payment card industry regulations and to be assessed against payment card data security standards began in 2003. Sixteen years later, many organizations are still stuck in a wash-rinse-repeat cycle of annual validation. The time has come to move data protection and compliance processes and capabilities to higher levels of maturity. To do so, organizations need advanced navigational aids and guidance on how to integrate the applications of maturity models and metrics into their compliance programs.
Source: 2019 Verizon Payment Security Report
There is a common theme in the cyber security compliance space:
1. Rush to make sure that everything is ready for the annual audit.
2. Pass the test.
3. Breathe deeply and do not worry about keeping up for the next ten months until the next audit pops back up on the calendar.
Based on the continuing occurrence and severity of data breaches, many organizations appear to still be approaching compliance as a “check box” routine. Without a sound strategy to measure data protection effectiveness and sustainability, throwing money at data protection does little to prove an organization is getting better at maintaining compliance. This approach may lead to a false sense of security. Many organizations appear stuck in a reactive cyclic pattern, focusing only on meeting baseline compliance requirements. Compliance programs and organizational capabilities must continue to evolve and mature. Organizations must develop visibility, control, and predictability in compliance performance. This structure moves data protection from a state of being reactive to proactive.
Source: 2019 Verizon Payment Security Report
This insight is so accurate. Without the visibility into how an organization is keeping up with compliance on a daily basis, most efforts are useless. It is like trying to find a path in the forest at night without a flashlight – futile! To quote the famous management consultant Peter Drucker, “You can’t manage what you don’t measure”. We have seen this for the last fifteen years. Heck, it’s even why we started our company. To give CISO’s and cyber security personnel the tools to track compliance and work with their organization on making part of the fabric of daily life.
Compliance requires multi-party collaboration to succeed.
Compliance cannot be done in a vacuum. It requires the collaboration of many team members and several disparate teams. Compliance can involve the Human Resources department, Finance, Network Operations, Legal, and others. Sometimes the control objective can require multiple teams to collaborate on an answer. As outlined in the report, 42% of companies use their compliance team to track security metrics while 40% have the IT security department track compliance metrics.
Unless companies have a tool in place to enable this collaboration it is next to impossible to keep track and ensure timely responses. Additionally, the board or executive team must be kept in the loop with regards to cybersecurity and compliance objectives. This communication also goes a long way in facilitating the budget increases to enhance and maintain the overall infosec posture. Companies must be able to create a common language and non tech jargon to bring all parties into the security discussion.
The PCI DSS requires security policies, standards and procedures to be updated annually. How do you know whether managers and other employees are reading and following them?
When an organization’s security direction becomes a series of disjointed initiatives and policies, the outcome is inevitable: a drop in compliance, reduced control effectiveness and increased risk of a breach. The CISO must provide agile leadership and well-structured governance supported by clear communication and strong directives.
Source: 2019 Verizon Payment Security Report
Sustained PCI Compliance is declining. But why?
The rates of continual PCI compliance are falling. PCI Compliance requires companies to maintain the effectiveness of all controls not only during the annual assessment but continually throughout the year. Interim compliance had risen from a low of 22.0% in 2009 to a high of 55.4% in 2016. Now we are back down to 36.7% in 2018.
Consistent compliance and therefore effective risk management is heading in the wrong direction. Why is this happening? A lot of companies think they have programs in place, but they lack the means and metrics to manage compliance and risk on a consistent basis. This all sounds well and good when things are quiet and no one is screaming at you, but what happens when things do not go exactly as planned? This is almost certainly the case in every business, compliance is one of the first things to go.
Everyone does what is necessary to put the daily fires out. In the process, corners are cut! People do not follow proper change control procedures, forget to check the log files daily, don’t log in visitors, take liberties with security to get past a troublesome issue… you get the picture. Companies need a strategy and the right tools to help keep them on track even when things don’t go exactly as planned.
About Complyify’s Continual Compliance Management Tool
Complyify eases your PCI DSS compliance burden through an AI-powered platform that interviews your key team members to create a customized compliance journey tailored specifically for your company’s cybersecurity concerns.
Integrations with your assessors, security consultants, managed security service providers, and even your cloud platforms mean you’ll have everyone working together to manage your compliance obligations and manage risk effectively.
Compliance status against the current and upcoming PCI DSS (in addition to other common regulatory and commercial security standards) is easily visible at all times through dashboards tailored for executives, compliance managers, and team leaders.
Comments