Avoid misalignment on goals.
Business and security teams should not have different expectations regarding the goals of security and compliance. Shared knowledge, common understanding and alignment of goals are of utmost importance. All parties must act as a team with a singular vision for success.
The 3 stages of failure50
The challenges organizations encounter, and the mistakes that occur during the planning and execution of PCI security compliance programs, can generally be divided into three stages of failure:
Stage 1: Failure of vision
These are “why” mistakes. Participants in PCI security programs fail to understand why they are engaged in PCI security compliance, and what the overall goals are. These “why”- related mistakes occur when leadership doesn’t establish a clear direction for security and compliance with a clearly articulated vision of the goals and objectives necessary to achieve the required outcomes. This vision is about achieving and maintaining focus on executing the correct prioritized objectives toward an aligned common goal.
Stage 2: Failure of strategy
These are “what” mistakes. They occur when the CISO and team follow a security and compliance strategy that fails to be designed and executed in a manner to deliver the results they desire. The team may know why they are engaged in a PCI security compliance program and how to do the work, but they still choose the wrong “what” to make it happen. Revisit The Security Management Canvas (see Figure 3, page 33) to help you position the overall approach, and individual components and elements within each of the five domains.
Stage 3: Failure of architecture and design
These are “how” mistakes. They occur when the security team fails to build systems and a security and compliance control environment where sustainable control effectiveness is built into the design and not bolted on afterward. This type of failure also happens when you forget to measure performance and get lazy with the details. A failure of architecture and design is a failure to execute on a good plan (strategy and program) and clear vision. For additional insights, revisit the 9 Factors of Control Effectiveness and Sustainability and review how they should be applied (see the 2018 PSR, page 4).
Generally speaking, program success hinges on two fundamental concepts: a high-quality plan and effective implementation. A PCI DSS v4.0 implementation plan that remains on the drawing board is little more than a concept until the organization implements and moves it from “concept design” to a tangible solution with measurable results. It takes as much specialized expertise to effectively implement as it does to develop the plan. The organization must have the internal program implementation competence or turn to a specialized program implementation partner for support.
Proficiency: Skill and experience matter.
It’s common for organizations that undertake the management of large, complex security and compliance programs internally to lack deep knowledge of program management and implementation. Program management and implementation is a highly specialized, technical discipline that usually requires experts to help ensure success. Organizations often don’t have this expertise or in-house training because their core business operations are focused elsewhere. If an organization chooses to build and support this core competency internally, intensive education in program management and implementation—including the processes and technical tactics for success—is necessary.