Businesses must take a proactive approach to security that assumes all defenses will fail at some point. When defenses fail, you must be ready and prepared to address threats and mitigate them quickly. Be vigilant with your security efforts and include them in your corporate culture. On top of this, take advantage of the technology solutions available today that make cardholder data useless to attackers if they do steal it.
CSO: How should CSOs move to offense? What strategy and tactics will be the most effective?
Orfei: If we've learned anything from recent incidents, it's that payment security equals job security. Security is no longer merely "nice to have." It is critical to the success of any organization that accepts or processes payment cards. Businesses must prioritize security when making investments and take advantage of the technology solutions available today that help do this.
We urge executives to instill a culture of vigilance from the top down. Make PCI part of your "business as usual" routine. Doing just one security scan a year isn't going to cut it. We all need to admit that we're humans we make mistakes, so we must do everything in our power to stop costly accidents from happening. You are a part of the process of offensive security.
Starting in the boardroom, the conversation has to change from one that's compliance-based to a new focus on reducing risk and increasing security, every day and year-round not just at assessment time.
CSO: Explain how a "risk mitigation" approach differs from a compliance focus.
Orfei: Compliance is just a point-in-time measurement. Asking, "Am I compliant?" is not the same thing as, "Do I have a strong security strategy for continuously protecting payment card data?" We have to flip this focus and move the dialogue away from passing an audit once a year to building a culture of security vigilance that reduces risk with multi-layer controls.
CSO: How can the PCI DSS keep up with constantly evolving threats? Should it issue regular "patches" to its standards?
Orfei: "Patching" the DSS is not the right metaphor. A patch is issued to fix an error made by a programmer while writing software code. The DSS itself is a strong baseline standard to help businesses detect, prevent and defend against attacks on their systems. And we are committed to evolving not just the DSS, but all of the standards, best practices, guidance and solutions that can help businesses protect their payment information. For example, the council recently issued guidance on malware in response to threat vectors that have emerged in recent months.
CSO: Third-party relationships are said to be one of the most significant vulnerabilities for companies. What do you recommend for engaging and managing security within those relationships?
Sign up for CIO Asia eNewsletters.