Cybersecurity Is About Attitude, Culture... Not Strictly Compliance

By Jeff Man on August, 13 2020

Get latest articles directly in your inbox, stay up to date

Back to main Blog
Jeff Man

Respected Information Security advocate, advisor, evangelist, international speaker, keynoter, former host of Security & Compliance Weekly, co-host on Paul's Security Weekly, Tribe of Hackers, TOH Red Team, TOH Security Leaders, TOH Blue Team, and currently serving in a Consulting/Advisory role for Online Business Systems. Nearly 40 years of experience working in all aspects of computer, network, and information security, including cryptography, risk management, vulnerability analysis, compliance assessment, forensic analysis and penetration testing. Certified NSA Cryptanalyst. Previously held security research, management and product development roles with the National Security Agency, the DoD and private-sector enterprises and was part of the first penetration testing "red team" at NSA. For the past twenty-five years has been a pen tester, security architect, consultant, QSA, and PCI SME, providing consulting and advisory services to many of the nation's best known companies. Credentials: NSA Cryptanalyst, Hacker, QSA

How do you avoid becoming the Next Big Retail Breach Target? There are plenty of points — and counterpoints — on the topic. As a cybersecurity professional who has specialized in compliance with the Payment Card Industry Data Security Standard (PCI DSS) for more than sixteen years, I have a great deal of thoughts to share. So consider this the first of a five-part blog in which I’ll lend my perspective about the state of systems protection in the retail industry — and how to safeguard your business.

In all that I’ve read, there’s too much emphasis on whether a breached retailer was “certified” as PCI compliant. Is this important? Of course, it is.

But a “yes/no” reading on compliance fails to address a general attitude of merchants toward the whole PCI process.

Cybersecurity is more than compliance - blog

I have been a Qualified Security Assessor (QSA) since the inception of the PCI standard and I can tell you that, too often, the attitude of my customers conveyed a sense of “Let’s get this over with...” or “The audit of the month is wasting my time...” or even:


“Just tell me what I need to do to pass.”

There are exceptions, but I’ve worked with too many companies which don’t really embrace the impact that successful PCI security standard implementation can make with regard to their overall security posture – not simply for the protection of credit/ debitcard data, but for the protection of their entire enterprise.

This notion is frequently lost on merchants because they spend an inordinate amount of time attempting to “limit the scope of the assessment.” This typically meant, “If you don’t have to look at a set of systems, then I don’t have to secure them...”


Most of us would agree that this is the wrong approach.

I came into PCI as a veteran information security consultant with a Department of Defense (DoD) background. I also happened to be classically trained as a Cryptanalyst. My customers would get a healthy dose of security awareness in general. But I was particularly interested in educating them about how particular PCI controls have come about and what they mean – in other words, context.

Frequently, at the conclusion of the assessment, customers told me, “That was the toughest assessment [audit] we’ve ever been through. But it was definitely worthwhile because we need to be more secure.” What’s wrong with PCI is not the standard itself, or the specific controls. They’re not perfect. But holistically they are the most exacting and comprehensive set of security controls I have seen outside of the DoD. In fact, I believe they stand up very well as a framework for any security program.


Unfortunately, they are rarely perceived as such.

The PCI industry promotes this misguided approach to “simplifying compliance” and “reducing scope.” Yet, too many companies get wrapped around these directives and quickly lose sight of the bigger picture: security!

ImageCredit-CJSchmidt-FlickrImage sourced: CJ Schmidt/Flickr - Wired Blog 

Case in point: I would often hear from the security/IT folks at my clients that PCI standards are only a starting point. They knew very well that PCI represented a bare minimum approach that a “real” security-focused program would go much further and require much more.


However, the same organizations struggled to meet all of the requirements and successfully demonstrate compliance.

How can a standard deliver no more than the bare minimum, yet still be difficult to achieve?

In large part, it’s because security is about attitude/posture/mindset/culture rather than the achievement of a predetermined, perceived “state.”

Security is something you DO continuously and diligently; not something you check off a “to do” list and then sit back and relax. PCI has all the component parts to allow companies to adapt this state of due diligence.

But it is too commonly presented as a point-in-time AUDIT — by just about every member of the PCI community be they QSAs, the PCI Security Council, the merchants themselves or in particular the vendors selling the “quick fix”/” buy this and you’re done” solutions.

We can do much better.

And you’ll find out how during this five-part blog series. In Part II, I’ll examine some of the most prevailing myths and realities of PCI and cybersecurity for retailers.


Posted originally on Wired, Innovation Insights blog 



Jeff Man is a Senior Security Consultant with Online's Risk, Security & Privacy practice. Did you know that blog author Jeff Man is an original National Security Agency (NSA) Red Teamer and Department of Defense (DoD) cryptographer? If you have questions about this blog or a related topic contact Jeff today.

Contact Jeff Man

Submit a Comment

Get latest articles directly in your inbox, stay up to date