Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: PCI Lessons from the Master
Intro
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Intro
Now, here’s your host, Todd Coshow, with Adam Goslin.
Todd Coshow
All right, welcome in season one, episode two of Compliance Unfiltered. I’m your host, Todd Coshow, alongside the PCI man, myth, and legend himself, Adam Goslin.
Todd Coshow
Adam, how are you today? I’m doing good. I’m not sure I’ve ever been introduced in that way before, but it was kind of fun. Get used to it, brother. We’re happy to have you all on board for our second episode of Compliance Unfiltered, a podcast truly dedicated to making compliance suck less.
Todd Coshow
And we are gathered here today, Adam, to talk about a topic I know is near and dear to your heart. So let’s jump in with both feet. Tell us all about PCI. All right, well, a little bit of groundwork for the uninitiated.
Adam Goslin
Not going to spend a ton of time on it, but it’s supposed to be good to know what the hell is PCI. So it stands for Payment Card Industry, basically credit cards. And the credit card industry has a certification that they call the PCI DSS, or Payment Card Industry Data Security Standard.
Adam Goslin
And its intention, at its highest of levels, is to govern the handling of credit card data by all of those that are within the… kind of workflow of how credit cards flow through the various systems, responsibilities for different folks, depending on what they’re doing with the credit card data, etcetera.
Adam Goslin
Wow, that’s a mouthful. Yeah, what are you gonna do?
Todd Coshow
For someone with your expertise, what does it feel like to have a PCI engagement dropped in your lab?
Adam Goslin
It’s, well, it depends on your context, right?
Adam Goslin
And we kind of covered it in episode one, kind of some of the background and whatnot, but for those that may not have listened to that one yet, the bottom line, I started with the initiation to PCI, with, hey, we need to get compliant with this.
Adam Goslin
And I summarily said, well, What’s PCI? And so that was my introduction. But no, for folks that have to go ahead and face this for the first time, quite frankly, it’s daunting. It is just daunting when you don’t already have that context.
Adam Goslin
It feels like you’re about to climb a mountain. And there’s just a ton of things that you don’t know. There’s a ton of things you need to figure out. There’s a ton of things that need to be done, etcetera.
Adam Goslin
So it’s a pretty big challenge for the uninitiated. But once you get your arms around it, all that fun stuff, it’s not nearly as bad as people fear, shall we say.
Todd Coshow
Yeah, and I can certainly appreciate that standing on the other side of the precipice.
Todd Coshow
But for some folks that maybe listen to this now, I think having a guide and someone with your level of understanding can certainly pave the way for some folks that are maybe standing on a little uneasy or shaky ground at the moment in terms of their level of competence.
Adam Goslin
Yeah, I mean, in today’s day and age where you’ve got a tremendous amount of access to data, right, go consult a Googler. You can fall down frickin’ rabbit holes that are going to take you eons to get your arms around this stuff and figure it out and and and.
Adam Goslin
And the unfortunate part is that while there’s several hundred different items, elements that need to ultimately get addressed, when you’re going through a PCI -style engagement, the bottom line is that there’s about, in some cases, there’s hundreds of ways to solve that.
Adam Goslin
a particular problem. Which one’s best? Which one’s going to work? Which one doesn’t suck to deal with? It’s tough. And so what I see in a lot of organizations, especially those that are kind of heading down this compliance route for the first time, and it’s one of the biggest mistakes that I see organizations make, is they go under this guiding assumption that, well, we have IT people.
Adam Goslin
And so because these people do IT day in and day out, well, they must then be able to go and figure out all of the security stuff, because it’s, finger air quotes, related to IT. biggest kind of mistakes and misconceptions that especially leadership and ownership of organizations make is just because you have IT people or an outsource vendor, whatever, that they’re going to be able to, you know, just magically, you know, come up with all of these solutions. And that problem’s further complicated by the fact that in that case, especially when you’ve got internal personnel with the expectations being put by leadership, that these guys just, you know, magically know how to do everything security, you know, that, you know, they’ve got pressure coming at them that way.
Adam Goslin
Or if it’s outsourced vendor, especially where you’ve got like your day by day IT vendor, those folks have been conditioned over time to be very, very protective of the relationship that they have with their customers.
Adam Goslin
They don’t want other people kind of, you know, treading on their ground, you know, etc. And so what are you going to hear? What are you going to hear out of the out of the outsource vendor? Oh, no, we totally got that figured out, you know, etc.
Adam Goslin
And then they’ll, they’ll just either whitewash it or tap dance or whatever. And really, it’s at the risk to the, you know, to the core organization. And so, you know, the thing that I would recommend to anybody that’s, you know, kind of heading down this road is find somebody that can, you know, that can kind of help you and give you some direction and whatnot.
Adam Goslin
You know, the relationship between whomever is helping you with your, you know, get through your compliance stuff, doesn’t need to be the arch enemy of your internal IT people and your day by day IT vendor, really, it has to be a partnership, no matter what.
Adam Goslin
And so if, if the light bulb goes on with management, upper management, etc., that they’re really asking their, their IT people to step, you know, into, you know, into an arena, which is quite frankly dangerous for the organization, and get somebody in that truly acts as a partner force to the internal personnel, it can really work very, very well.
Adam Goslin
But the example I like to give folks is I’m like, you’re not gonna go to your, put it in a medical setting, right? You’re not gonna go to your day by day general practitioner that you’d normally go to for the snivels, right?
Adam Goslin
And mandate brain surgery, you’re gonna go to a brain surgeon. Well, don’t go to your IT people or your IT vendor and say, hey, I’d love you guys to just take care of security stuff. Are there some of these folks that have the mad skills to be able to do it?
There are, but they’re very, very far and few between that I’ve seen out in the marketplace.
Todd Coshow
Well, what should someone look for when they’re trying to build that type of relationship that you were talking about?
Adam Goslin
Um. You know, the reality is that they want to go, you want to look for somebody that has the experience that’s been in the space that, you know, that knows what they’re doing. They’ve been to the rodeo, you know, many times across many, you know, many different organizations and really has some experience with it because it’s, you know, it’s that experience that’s really going to help and streamline,
Adam Goslin
you know, kind of help and streamline the, you know, the interaction. I don’t want to go too far into the whole notion of, you know, hey, you know, how should you get your help and, you know, consulting consultants versus assessors and things like that because I think we’re going to have a full podcast dedicated to that notion.
Adam Goslin
But, you know, bottom line is that, is that, yeah, I mean, you know, getting some help, getting some direction, you know, getting something to help get everything organized. Those are all really good steps in the right direction.
Todd Coshow
Excellent. So when you’re looking at the different approaches for the certification themselves, what does that mean to these folks out here? What can they do?
Adam Goslin
Sure. So there’s a couple of different kind of mainline options for getting through PCI.
Adam Goslin
And really what it comes down to is it depends on a couple of things. What you’re doing with the data, how much you’re doing with that data, you know, things on those lines and kind of the volume that your current organization takes on.
Adam Goslin
All of those play factors into figuring out which way to go. But at its basics, there’s really two different approaches. One is folks that deal with credit cards can go a self -assessment route. And that self -assessment route is basically the organization themselves filling out the, you know, filling out the paperwork confirming that they have all of these in sundry policies, procedures, solutions,
etcetera, in place based on their circumstances. And so you can go and fill out the paperwork on your own. So the first step really is, you know, figure out, figure out which of the paperwork you’ve got to go get filled out.
Adam Goslin
There’s self -assessment questionnaires, you know, there’s a whole flavor of them. A’s, B’s, C’s, D’s, you know, etcetera. So yeah, I don’t want to get, I don’t want to take this into the, you know, into the world of the absolute nitty gritty here, but you know, the bottom line is figure out which of these approaches that you need to take for your organization.
Adam Goslin
And then on the, on PCI’s website, they have the availability to go in and download those. So if you go to PCI, the PCI website and go to documents, they’ve got all of the self -assessment questionnaires that people can go and.
Adam Goslin
can go pull down. So that’s one approach is to go and do the self -assessment questionnaire, fill it out from the PCI website. In many cases, if the organization’s a merchant and their payment processor has provided them with a system to kind of go and enter their responses into, that may be available to the organization as well.
Adam Goslin
So self -assessment is kind of the one side of it. And then on the other side is organizations that choose to or are forced to go through some type of a third -party audit style assessment. And those third -party audited assessments, some organizations can opt to do that electively.
Adam Goslin
So the Total Compliance Tracking or TCT, my company, it has elected to go through that third -party assessment each year. And we didn’t have to, we’re certainly not transacting a level of credit cards where we’re forced to go through this, but we did it electively.
Adam Goslin
And really the why behind that is that I wanted to, it’s one thing for me to go in and say, yeah, yeah, yeah, I got that, right? But when someone else is depending on those responses, those inputs, having a third -party coming in to do, they’ll kind of be that sanity check, be that, you know,
Todd Coshow
It makes all the difference in the world.
Adam Goslin
Yeah, that voice, it really gives some measure of third -party assurance to this isn’t just lip service because one of the biggest problems, especially with the self -assessment direction is that you’re wholesale dependent on the organization themselves, you know, number one.
Adam Goslin
understanding what it is that they just said yes to, that they actually did it, that they actually did it right, you know, things along those lines. So when you’ve got that third party that comes in to do the look over the shoulder, it actually carries a fair amount of weight, especially if, you know, in our case, we’re using the folks that go through and do the audits in the PCI world are called qualified security assessors or QSAs.
Adam Goslin
PCI has just about a freaking billion acronyms in it. So yeah, I’ll try to play translator and remember to do that as best I can as we’re going through this. But, you know, so in TCT’s case, we wanted to be able to have the third parties that have to depend on our certification have some measure of assurance.
Adam Goslin
And so that’s why we chose to go that route. In the other case, let’s say that we’re a very large you know, SaaS -based merchant that has, you know, that has a bunch of transactions going through it, they may hit transaction volumes where they have to do that third -party audit.
Adam Goslin
So they think that the really, really large retailers probably are in that, you know, in that boat, really, really large SaaS platforms where they’re doing a lot of online purchasing, etcetera, probably in that boat as well.
Adam Goslin
And so in that case, those organizations are forced to, forced to go through that third -party audit with a, you know, kind of with an assessor.
Todd Coshow
Sure, that makes sense. So now, you know, you’ve figured out, you know, what type of PCI you’re filling out.
Todd Coshow
You found your third -party assessor, you know, you’re going through things, but when people think about PCI and going through it, it can be a bear, Adam. Why is it such a struggle?
Adam Goslin
Well, number one, you know, when you take, when you take a full -scale PCI engagement, actually I like PCI, you know, God, I’ve been doing, I’ve been doing PCI style engagements at this point in the game for, you know,
Adam Goslin
for well over a decade. And I really like PCI because it’s kind of a double -edged sword, it’s very prescriptive in terms of what you need to do in order to meet the requirements, where some of the other standards are a little more directional in nature.
Adam Goslin
And so, but with that specificity comes a lot of potential line items of things that you’ve got to go and prove out that you’ve done. And so, and so with PCI, if I take one of the, you know, kind of the, one of the all in, you know, style approaches, which is either that, you know, kind of the auditor assessment approach or,or the self -assessment questionnaire D for service providers, both of those effectively have the same number of lineups.
Adam Goslin
And when you break it into all its component parts, it’s around 500 items or so. And so there are a ton of things that an organization needs to be paying attention to, that they need to make sure they have in place.
Adam Goslin
So it’s a pretty large undertaking to be able to head down PCI. So one of the biggest struggles, especially for those that are kind of the uninitiated is just, you know, what do all these things mean, right?
Adam Goslin
And one of the struggles that I’ve seen out of organizations, I’ll just use kind of an easy example, is that, is that there’s a section in PCI for antivirus, right? And I can’t tell you how many companies that we’ve been talking to about getting through PCI and they basically say, oh yeah, yeah, yeah, I got antivirus, you know, check.
Adam Goslin
And meanwhile, they don’t bother to go look. And while, yes, one of the checkbox items in the AV section for PCI is, do you have it? It’s bigger than that, you know? It’s, do you have it? Is it set up to update correctly?
Adam Goslin
Is it, you know, performing scans on this period? You know, and, and, and. So there’s about 11 different items that you’ve got to actually checkbox when it relates to antivirus. And yet, I’ll see a lot of people say, yeah, yeah, yeah, I got that.
Adam Goslin
And whether it’s AV, whether it’s, you know, a firewall, whether it’s, you know, IDS, you know, there’s, there are many related elements to each of these technical solutions that need to get put in place.
Adam Goslin
And I have often seen organizations, especially those using the, like the internal IT or, you know, the outsourced IT vendor, that type of thing where there, you know, there’s a, there’s a great propensity to just go, yeah, yeah, I got it, without actually looking at the line, line level details.
Adam Goslin
So, you know, that’s another, another arena. You know, we talked about, you know, 500, you know, whatever items when you have to, you know, kind of put yourself up against the full breadth of PCI. And in, in, in TCT’s case, you know, one thing I neglected to say earlier about, you know, kind of TCT’s approach to, you know, approach to this, is we basically said, no, we don’t do a lot with credit cards,
Adam Goslin
but we’re going to use this framework to put ourselves up against as a bar we want to go in, you know, go in and hit and exceed. And so what we do is we basically said, hey, Everywhere where it’s talking about credit card data, we’re just going to mentally swap it out for sensitive data.
Adam Goslin
And then we’re going to treat all of the sensitive data within our environment, which we include the client data under that umbrella. And we’ll basically say, we’re going to go up against everything and use the moniker of sensitive data, not just PCI data, because I’ve seen a lot of especially service providers in this space.
Adam Goslin
They try to play the game, right? And I kind of laugh because I’ve got to go in and I’ve got to review different vendors, you know, stance against PCI. And you can hear the trumpet play, bop, bop, bop, bah, here’s my attestation of compliance for PCI.
Adam Goslin
And so they go and they throw this out there and then you start actually reading like the scope, you know, and in their scope section, they basically say, Well, we don’t really do anything with credit card data.
Adam Goslin
So like 98% of this doesn’t even apply. And I’m like, OK, so what is this paper worth? Nothing. It’s not telling me anything. And you haven’t actually confirmed that you have anything in place as a result.
Adam Goslin
So that’s something that I find kind of amusing when I get to go down and through that portion. But anyway, keeping track of everything is a big deal because there’s a ton of moving parts on a PCI.
Todd Coshow
Well, that kind of leads directly into the next thing that I think we need to talk about, which is what is on everybody’s mind here.
Todd Coshow
And that is the complexity of the certification itself. PCI is known for being an extremely prescriptive cert. Is that right?
Adam Goslin
Yeah. Yeah, it really is. And going back to that, yeah, yeah, yeah, I got AV notion.
Adam Goslin
And I use the, yeah, yeah, yeah, I have a firewall. AV, in its case, broke it out. It’s got about 11 different items. But I turn around to the firewall as an example. And there are just gobs of different line item requirements that you’ve got for the firewall.
Adam Goslin
So in the case of PCI, what they did is they went in, they broke it out into various sections. So they’ve got for the kind of the all -in, you know, all -in SACD, ROC, you know, report on compliance, which is where the assessor would come into play.
Adam Goslin
For those style of engagements, they have it broken out into 12 different kind of requirement sections. And so each of those sections is kind of covering a different realm, if you will, of a different realm of PCI.
Adam Goslin
So requirement one is primarily covering… things surrounding the firewall, firewall networking, some different diagrams, documentation, things along those lines. And so in that case, you’ve got a whole bunch of different sections in there, but like the firewall requirements, it’s probably more akin to like the 25 to 40, different elements that have to do with, have to do with firewalls as an example.
Adam Goslin
So requirement one’s all about, kind of all about the network is layout, a couple of diagrams, but then a lot of detail on. firewall configurations and things that you’ve got to do, etcetera. But you continue to go down.
Adam Goslin
The second requirement is really talking about system defaults and passwords, security parameters, inventory, things along those lines. The third requirement really has to do with encrypted storage of information, limiting how much you’re storing, that type of thing.
Adam Goslin
And it goes on and on and on. Four is encryption transmission. Five is AV. Six is patching and patching and system application, development methodologies, things along those lines. So it really covers a really deep and broad spectrum of items and elements, not the least of which is that some of these items and elements, like it’s required for PCI as an example to go in and do periodic vulnerability scanning,
Adam Goslin
annual penetration testing, that type of thing. So there are a lot of various elements to this PCI beast and it is just a real monster when people are going and walking into it.
Todd Coshow
It sounds that way, Adam.
Todd Coshow
It really, really does.
Todd Coshow
So what are the types of tracking at a detail level and being able to kind of connect all of the dots that folks should really be worried about?
Adam Goslin
Sure. So one of the biggest challenges that I face, and here’s the fun part for me being in this world, is that I’ve been through what all these other people had to go through for the first time.
Adam Goslin
I’ve been through that myself. I had to get an organization through not knowing anything and barely understanding how to spell PCI type of thing. And so that was interesting, having that context and that experience from my past.
Adam Goslin
But one of the biggest challenges is just being able to manage and track and hold onto all of these various elements of incendiary evidence that you’re required to place across these 500, whatever line items and requirements.
Adam Goslin
So one of the biggest challenges is just we go back I’m going to keep cycling back to that AV example because it’s an easy one and a good one and a relatable one. Instead of going, yeah, I have AV, you know, actually go in and look at the requirements, look at all of the various broken outline items and elements, go into your systems, double check, do you actually have it set correctly?
Adam Goslin
of the evidence that you can prove that that thing is set correctly, you know, and is that in alignment with the requirements. And so, you know, bringing that tracking down to the line item level of the certification is absolutely critical.
Adam Goslin
And it’s critical for a couple of different reasons. You know, and what I’ve found is at the heart of each organization’s kind of compliance journey, if you will, it really depends on it really depends on why are they going through this process?
Adam Goslin
If they’re going through the process so that they can just, you know, check some boxes to go win a you know, go win an engagement, etc. Well, then that’s where you’re going to see less of a less of a solid, you know, kind of approach to, you know, to how to get through it if they’re if their desire, their care is to take this stuff seriously to, you know, to be able to,to you know, protect their client data,
Adam Goslin
to be able to protect the organization itself, then it’s it’s it’s prudent to go get down to that detailed level, get your evidence connected at line item level by line item, etc. And one of the, you know, one of the real benefits of doing this, and this is what a lot of organizations don’t understand as they go through this for the first time, because most of the first times for people, man, it’s a mess is a mess.
Adam Goslin
You’re trying to figure stuff out, you are trying to find solutions that work. You’re trying to make sure you’ve dotted all these I’s and cross these T’s, you’ve got, you know, documentation coming out of your ears.
Adam Goslin
You know, normally, when a lot of cases, people are trying to hold this all together themselves, you know, with somebody being the eye of the hurt, you know, the eye of the compliance hurricane, and, you know, and having to kind of manually manage and keep track of all this stuff.
Adam Goslin
It’s a straight up a freaking nightmare to be able to kind of get through this process. And yet, what a lot of these companies miss is that, sure, could I go this route of, we’ll call it extreme pain and trying to hold it all together manually with drop zones and spreadsheets and whatever other mechanisms of kind of transport and storage that they’ve got for their evidence.
Adam Goslin
Sure, they could go down that route, but what they miss is that there’s gonna come a point, the minute that you get compliant with PCI, and if your decision is to manage and maintain PCI ongoing, you now have things that you need to do regularly.
Adam Goslin
daily, weekly, monthly, quarterly, semi -annual, and annual tasks that need to be done for PCI in order to maintain it, and not the least of which is, you’re gonna get a year down the road from whenever you get compliant, and then have to go and regather all of this evidence.
Adam Goslin
Well, if what you left in your prior track, your prior year, if what you left was an absolute disaster mess, well, then it’s gonna be garbage that’s coming back, and back, you can’t lean on it. You’re gonna have to spend more time than it’s worth to try to put everything together.
Adam Goslin
You may have resources that are switched out and whatnot. And so it’s just, that’s the piece that a lot of these organizations miss is the amount, if they do the rigor to keep everything detailed, line item level, it will benefit them down the road, because now you have a rock solid complete list of here is what we use to justify all of these and sundry line items.
Adam Goslin
And now you’ve got it, it’s referenceable, who did it? When did they do it? Did your consultant or your assessor balk at, balk at what you put, kind of put together there, that type of thing. So, and what tweaks did you need to make?
Adam Goslin
All of those are learning experiences that just evaporate when you don’t have the organization out of your last cycle, walk, you know, being at the ready to co -walk into this cycle.
Todd Coshow
So when you’re looking at that from a coordination standpoint, I mean, that is a lot of moving parts across a lot of different areas in the organization.
Todd Coshow
What, and especially outside of the organization as well. So what do a lot of companies end up doing? What do a lot of folks do?
Adam Goslin
Well, there’s several things that they do. The, the, the, the pain of my compliance world for…
Adam Goslin
for literally years was the Excel spreadsheet. And so generally speaking, the vast majority of folks still are using some form of manual tracking, typically Excel, to go through and kind of track statuses, track who’s doing what, what things are done, etcetera.
Adam Goslin
Well, and the problem is, is that, and even in this world of, you know, being able to use shared spreadsheets and things along those lines, you know, you know, that world has improved somewhat, but it still takes some human to go manually, log in, you know, update the sheet, you know, etcetera.
Adam Goslin
It’s not tracking history. It’s not tracking, you know, it’s that you don’t have the detailed level, readily accessible, who did what, when, you know, oftentimes it is. unbelievably challenging to get the operational crew who’s provisioning evidence to also go and update the sheet.
Adam Goslin
So that’s where, you know, I kind of come full circle. And in the most of the cases, some poor soul ends up being the, you know, that eye of the compliance hurricane, as I called it. Who their job is basically to spend multiple hours every week going in and kind of collecting up from all of the various drop zones.
Adam Goslin
Oh, well, who provided what and blah, blah, blah. And then manually moving those elements of evidence over to whoever needs to go look at them next. And then going back to the spreadsheet and updating that.
Adam Goslin
Sounds like a craps. You know, saying, oh my God, dude, it is. Yeah, it’s rough. It is really rough. So that’s kind of the one side of it. And then for the, so that kind of covers what most, and honestly, most companies are doing this manually in some way, shape or form, whether it’s Excel or some homegrown, you know, SharePoint, you know, solution that they, that people have, you know, labored, you know,
Adam Goslin
hours and hours over or whatever. That’s kind of the one side of it. Or on the other end of the spectrum, you know, you’ve typically got the assessors, that the assessors will have some form of a submission, you know, submission process that they will use.
Adam Goslin
And for the vast majority of them, historically it’s been, you know, some form of varying levels of fancy schmancy, you know, drop zones for dumping files into and things along those lines. And the problem with the, you know, with the majority of the, you know, what has been used by the vendors, you know, vendors in the past is that it’s a vendor system, you know, where these folks are on and they’re doing,
Adam Goslin
where they’re on and they’re doing an assessment and and they put all this labor and blood and sweat and tears manually pulled from, you know, whatever, and number of, you know, sources internally, email, drop zones, net drop, share file, whatever, and now have, you know, kind of connected at all in a submission process into the assessor system.
Adam Goslin
Well, that’s only great for the assessor, you know, makes their world a heck of a lot easier, but it’s still not really helping the target organizations having to go through this stuff. You know, and so the, you know, for the organizations themselves, you know, getting a system to basically manage and track this stuff, have it be your, compliance system.
Adam Goslin
Don’t be subservient to your vendor. Just don’t keep in mind, just keep in mind. I mean, you know, at the end of the day, the assessor’s a vendor, you know, don’t get subservient to your vendor system and their choice is about what’s gonna make it easier for them.
Adam Goslin
You need to make your world better, you know, and then that way you can connect in others into the, you know, kind of into the solution that you love.
Todd Coshow
Absolutely, absolutely. So how do you get help? If you’ve come all the way down to this and you’re to the point now where you’re stuck and you recognize that this just is, it’s over your head and you’re not gonna be able to get through it.
Todd Coshow
What do you do?
Adam Goslin
So I’m not gonna go into this in depth. I’ll cover it at a high level. We’ll, you know, we’ll end up getting into this in one of the next podcast.
Todd Coshow
That’s called a tease for the folks at home.
Adam Goslin
Yeah, at the highest of levels. You know, the biggest, and even before I get into that, what I’m gonna lead with is this, is that for an organization that needs to go into the compliance world, my best recommendation is find somebody to help, find somebody to help.
Adam Goslin
There’s, you know, consulting houses out there, folks that can, you know, that can kind of assist in all that fun stuff. There’s assessment firms out there that, you know, that can go in and do an audit that have varying, you know, varying levels of, you know, of capability, etcetera.
Adam Goslin
But one of the biggest mistakes that I see organizations make is that they don’t, we don’t wanna spend the money on, you know, on paying some consultant to come in and help us and, you know, or whatever.
Adam Goslin
We don’t wanna pay the, you know, pay the assessor, you know, pay an assessor for you to help them come in and help us. And so what instead they do is they go ahead and they throw their, their. poor internal IT folks or their IT vendor to the wolves, and they burn an unimaginable, unimaginable amount of time with their internal personnel, with investigations, attempts at trying to solve things and finding out that they’re wrong,
Adam Goslin
and, and, and, and, and. My biggest suggestion to organizations is instead of don’t, you know, do the cut off your nose to spite your face and, you know, and, and try to force these people that really don’t know security to, to now take on security, but get some help from somebody, you know, some directional assistance, at least start in that manner.
Adam Goslin
And then, hey, guess what? If your team, if you, if you either end up staffing up your team to, you know, to have the requisite knowledge to be able to do this better in the future, great, you know, if you find just as I suspected.
Adam Goslin
It was so easy that my internal personnel can just go ahead and do this now. Well, if it turns out that way, great. But my experience says that for the majority of organizations, they either spend an unholy amount of time struggling, trying to get through this themselves, and an effort to save money while they basically burn internal resource time, which effectively is money.
Adam Goslin
You wouldn’t have to go hire five more people to make up for the fact that you’ve just swamped your internal team for eight months trying to figure this certification out. So if the organization can make that call a little bit earlier in the process and start by getting the help, it will make everybody’s life far better.
Adam Goslin
Because I’ve seen some really bad situations with organizations where the leadership was just expecting miracles and put a lot of pressure on the internal team, burning out staff, having people either fire to it through the process.
Adam Goslin
And it’s been bad, dude. And the problem is that they don’t end up figuring this out until it’s way too late in the game.
Todd Coshow
That’s really tough to hear. Because I’m sure that there’s still some folks out there, Adam, that feel like over the course of listening to this podcast and looking at their PCI engagement, that they just ran through a car wash without a vehicle.
Todd Coshow
And if that’s the case, we completely understand. Reach out to us directly on Twitter, on Instagram, at compliance unfiltered, and we will be happy to answer your questions on upcoming episodes. Well, that’s all the time we have for today.
Todd Coshow
I’m Todd Coshow..
Adam Goslin
And I’m Adam Gosling. Hope we helped you to get you fired up to make your compliance suck less. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow.
Adam Goslin
And I’m Adam Gosling. Hope we helped to get you fired up to make your compliance suck less.
