By Tim Cranny
Panoptic Security Inc.
In recent articles I've talked about how Payment Card Industry (PCI) Data Security Standard (DSS) compliance needs to move toward a "risk management" approach to security.
Now is a good time to say more about what that approach is, how it works, and what its strengths and weaknesses are. Fortunately, all of this information is useful right now and isn't just preparation for some future requirement.
The core idea behind risk management is that you can't treat the idea of "safe" as if it's an on/off switch, with the "on" setting meaning no risk.
There is no such thing as no risk. We all spend every moment of our lives - our personal lives as well as our business lives - surrounded by risk: the chance of being affected by cancer, car crashes, corporate malfeasance or a troubled economy, for example. It's just that when the risk is small enough, we simply live with it.
This approach is pragmatic. If you get fixated on eliminating all risk, you'll fail. For example, card processing only exists because it makes business sense for merchants to offer it.
We're never going to sell security to merchants by saying, "Your transactions are now incredibly safe, and it only costs an extra $100 per transaction." The goal of PCI is to make cardholder data as safe as possible - in a way that is technically and economically viable.
With that in mind, the idea of "safe" transforms into "safe enough." Instead of attempting to eliminate the risk, we focus on whether we can reduce the risk enough so it can be relegated to the enormous list of dangers we just live with every day. In other words, we need to ask, can we manage the risk?
By the way, risk management doesn't do away with questions of how to handle security; the technical details still need to be addressed. It does provide ways to think about what to do, why to do it and in what order. It gives you the right way to start on these issues; the technical details then follow.
So if risk is the key idea, how do we manage it? For that matter, what is risk?
There are various ways to define or measure risk, but the basic idea is that it measures the degree to which you should be concerned about a particular danger or threat. You could say risk is a combination of likelihood and consequences, where likelihood equates to how likely it is a negative event will occur, and consequences relate to how much damage (financial, reputational or physical) a negative event would cause.
A threat such as nuclear war has a low risk rating (we hope) because even though the consequences would be very high, the likelihood is extremely low.
The risk associated with drinking lukewarm coffee is also low, but for a different reason: no matter what the likelihood, the consequences are minor.
If you store thousands of customer credit card numbers on a poorly secured system, the consequences and likelihood of a negative event are high, so the risk score is high.
Risk management advocates the following: don't spend time worrying about bad coffee or nuclear war. Focus on fixing the risks at the top of the list, such as those poorly protected card numbers.
A risk management approach involves these steps:
Here are a few additional tips:
If you get too caught up in the hunt for specific, accurate numbers, things will quickly become impractical. You are better off having a reasonable and thoughtful estimate today than an accurate measurement next year.
For example, fire insurance doesn't reduce the chances of a fire, but it does damp down the economic consequences. On the other hand, banning smoking in the workplace reduces the likelihood that people will smoke and thus the likelihood that a cigarette unattended will spark a fire.
In the context of PCI, encrypting a database can dramatically reduce the likelihood of an attacker obtaining sensitive information, while reducing the number of records stored reduces the consequences.
Risk management is a good idea at the merchant level, but it is more complicated and demanding than a simple follow-the-steps approach. The smart approach: don't dump the burden on merchants; provide them with guidance on risk management instead.
This approach demands better tools and analytics at the portfolio-owner level. It no longer makes sense to treat your merchants as a single group. Instead, learn to "slice and dice" your portfolio in intelligent ways and treat the different subgroups with different strategies.
With the right tools and analytics, you can make your overall portfolio safer, while at the same time making your PCI program more efficient and cost-effective.
Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at email@example.com or 801-599 3454.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next