For many organizations, PCI compliance is a necessary part of doing business.
However, a report on compliance failure could be disastrous for the business and the time and cost of remediation can escalate quickly.
In this video, Mihir Mistry, Senior Security Manager for GRC covers the top three reasons organizations fail a report on compliance including:
- Staffing changes
- Misunderstanding of basic elements of risk management
- Representing a vulnerability assessment as a penetration test
One common theme that we see that results in a failure of a report on compliance is staff changes. So this is an industry where there’s a lot of change right now, so you have a certain staff and now you lose that and they don’t know what the new scope is. Scoping is the core in a PCI engagement. How to you scope your network? How do you scope where your cardholder data resides? And if you don’t scope that properly that is a big factor in failure of PCI compliance.
The other one is just understanding the basic elements of security and risk management. A lot of clients look at this as a compliance thing, it’s a check box approach. But if they truly do not understand the risk of what this means to my organization. ‘If I get breached then what happens to my customers?’ So, the whole risk management approach, if they fail to understand that, that is one of the big elements that also results in failure of PCI compliance.
So this is really basic that we see, but failure of understanding some basic elements like, what does penetration testing mean. We see a lot of times where clients think they have done a penetration test and they will bring it back to us. But when we look at that, it’s basically a scan; it’s not a true penetration test. So again, just basic elements like that. So our advice is always to do something like a readiness assessment first before you jump into a report on compliance. That way a lot of these elements can be addressed first, and you have some room to remediate those efforts and that can result in a positive compliance.
The old approaches to cybersecurity are no longer adequate. It’s time for something new. Layered defenses can create almost as many problems as they solve, and security teams struggle to keep up with the threat. What you need is context across all your layers of defense with the right people, processes, and technology working together in concert. That’s how Secureworks can help. Using 20+ years of industry knowledge, advanced analytics, industry-leading threat intelligence, and the network effect of more than 4,000 customer environments, we provide world-class cybersecurity solutions to customers around the globe. This unmatched experience empowers our customers to be Collectively Smarter. Exponentially Safer.™
Our Managed Detection and Response (MDR) solution is comprehensive, powered by our cloud-native software Red Cloak™ Threat Detection and Response that uses AI and machine learning to deliver better outcomes for your security operations. MDR unifies telemetry from your existing security technology to maximize visibility, reduce complexity, and enable you to move at the speed of the threat. Learn more about how Managed Detection and Response uses contextualized visibility to improve your organization’s security posture.