Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Interview with The PCI Guru Jeff Hall
Quick Take
On this episode of Compliance Unfiltered, the guys are graced by the presence of the PCI Guru himself, Jeff Hall!
Jeff is a long-time QSA, author, world-renowned blogger and PCI DSS Trailblazer.
He and the rest of the PCI Dream Team have an incredibly important new book out, “The Definitive Guide to PCI DSS Version 4: Documentation, Compliance, and Management” (Available for Purchase Here)
The CU guys ask Jeff all about it, his life in the compliance space, and much more, on this episode of Compliance Unfiltered!
Remember to follow us on LinkedIn and Twitter!
Read Transcript
Intro
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Todd Coshow
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the Woodward, your compliance Bernstein. Mr. Adam Goslin, how the heck are you, sir? I’m doing fine, Todd. How about yourself? Man, I cannot complain. We’re blessed today.
Todd Coshow
Let me tell you, we are blessed to have a very special guest. The one and only PCI guru himself, Mr. Jeff Hall, is joining us.
Hey, Jeff, we’re pleased to have you on Compliance Unfiltered. Tell us a little bit more about your security and compliance journey.
Jeff Hall
Well, I kind of fell into it, actually. I came out of college with a degree in computer science, headed off…
Todd Coshow
Where’d you go?
Jeff Hall
Ferris, what is now called Ferris State University, but back in the day, it was just a college. There you go.
Todd Coshow
Heck of a hockey team there, I’ll tell you what.
Jeff Hall
Well, I actually went there because I originally was going to be an architectural engineer and went to my interview at the University of Michigan and found out they don’t teach you to draw there. I’m in the interview and the guy goes, so where’s your portfolio? him a little lot and said portfolio and he said well yeah you, you draw right I said well yeah but I was in college prep and didn’t take any industrial arts classes in high school oh well you know we don’t we don’t teach drafting here so you’re gonna have to go and get that somewhere else and so he pointed me to Ferris because they had an associate’s degree in architectural drafting he said you’ll take all your pre -engineering stuff up there we’ll transfer at lock stock and barrel you’ll do four years here and you’ll graduate with a master’s in engineering and I said cool so I went up there and did two semesters up there and said basically found out there was no career path in architectural engineering at the time. And all I could think of was I’d spent six years in college, the TV show that was on at the time was moving on. My dad owned a truck leasing company and I figured, God, I’m gonna go to school for six years, graduate with a master’s in engineering and I’ll be driving the truck.
Jeff Hall
Oh no. Yeah, and so I thought, you know, no, this is not… So I transferred, they had just started a new program over in the School of Business, Management Information Systems. And so I went and enrolled in that, I changed degree programs, but I took all my electives over in the School of Engineering. So my background was in operating system theory, data management theory, all that. I took those as electives. And then because I was an engineering student, I’d gotten into the math program, so I finished that out. So I ended up with a degree in computer science and a degree in mathematics.
Todd Coshow
Oh wow
Jeff Hall
So I went off to a consulting firm who farmed me out to of all places, IBM. So I was a systems programmer for IBM as a contractor for basically the first 15 years of my career. And through that, I ended up on a couple of engagements where there was potential fraud occurring. And so I got involved in ferreting out was there fraud occurring? And if so, how is it being done? And that’s how I started down the compliance road.
Todd Coshow
So. Well, that’s quite an interesting story, actually. As you’re kind of looking back, Adam, and I wanted to ask this one question before I hand it to you on this one. As you’re looking back on that, what would you change, if anything?
Jeff Hall
Well, interestingly enough, had that consulting company not come along, I had been accepted to Ohio State to go and get a master’s and a doctorate in computer science. And that’s probably where I would have gone had I not gotten tired of being a poor college student. And, because they offered me a butt load of money. at the time. Yeah, you go into one of the big consulting firms. Yeah, that’s what they were. That was a good opportunity, right? I was going to ask you, Jeff, so you got exposed to it somewhat through the consulting via IBM. And then from there, did you start stepping into actual security organizations at that point in the game? Or did you have another couple steps in between? No, I had some steps in between. I ended up, after leaving the consulting firm, I went to what is now Thomson Reuters. But at the time I went there, that was West Publishing. And I worked on Westlaw for two years. And I don’t know if you’re familiar with Westlaw. The competitor to it is Lexus Nexus. Gotcha. And so Westlaw was for the publication of law books.
Jeff Hall
But they operated an online legal research operation called Westlaw. And so I worked on all sorts of projects to make Westlaw quicker, better, faster. The one thing I did learn over there is just how litigious West Publishing and Lexus Nexus were against each other. I was there two years. I had my desk Xeroxed six times due to lawsuits. You know, they’d come, they’d back two 40 -foot trailers to the building. And they would, both trailers would have huge Xerox copying machines. And they would just come up, pull the drawers out. out of your desk, go down, Xerox it and bring it all back. Jeez, excellent. But so it was after that, that I went to this little itty -bitty operation called KPMG. Ha ,ha, ha. Actually, the first year and a half I was there, I got six different business cards. When I first started, they were Pete Marwick, then they became Pete Marwick, Maine. Then they became, I can’t remember what, and then finally we ended up with KPMG.
Todd Coshow
Got it. Just out of curiosity, I know you’re kind of joking because KPMG is now a large scale organization, but at the time that you were joining in there, was it really like a fraction of what it is now? Oh, they were still huge, but that was still that was the big eight at that point now the final four but Because Anderson’s gone all together and everybody else merged up so gotcha, Gotcha, gotcha. And so basically from there the you know, kind of you start dipping your toe in the kit in the KPMG arena That’s really where you started to transition into, you know, more of a more of a security focus and you’re kind of true full -time You know security and compliance,
Jeff Hall
you know journey was really was really in effect at that stage of the game. Yeah, I transitioned obviously I transitioned out of technical stuff although we did do We did do the first project. I was assigned over there was to develop an an object oriented development environment for a large bank that KPMG was doing a mortgage lending app for they wanted to do it with object orientation and so I Started setting that up. Well Sadly that project ended up literally being put underwater by a flood and Whoo. Yeah, I Somewhere in my memorabilia. I have a picture of my desk under water It the whole building went underwater so, so the project was suspended obviously while the flood took its toll and dried out and I got put on a couple of SaaS 70 engagements and went through a rapid changeover to understanding how you do an audit and, and that’s what actually transitioned me over to compliance and auditing.
Todd Coshow
Oh, cool. Well, Jeff, I heard that you helped put out a new book on PCI DSS4 recently. Tell us it. Yeah, so the
Jeff Hall
PCI Dream Team, which is Art Cooper, David Mundhank, and Ben Rothke and myself, for whatever bizarre reason, sat down and decided to write a book. And it’s titled The Definitive Guide to PCI DSS version 4. The difference about our book from most of them is we wrote it for QSAs and ISAs that are conducting assessments to give them guidance on what to look for. What kind of documentation you need pitfalls that you can run into all that kind of stuff so Very cool.
Todd Coshow
That’s fantastic. Now. Where uh, where is that available for folks who are interested?
Jeff Hall
Amazon
Todd Coshow
And for listeners You can go to the episode description on this very episode and there’ll be an amazon link to Jeff’s book there for you
Adam Goslin
I have one I have one high level question So jeff for those that for those that are not aware How, how did you get the, the fine honor of being?
Adam Goslin
elected nominated founding the, the dream team if you will.
Jeff Hall
that’s a great question. Well, I didn’t found the dream team Actually what happened was? The dream team Set themselves up Did two episodes one of the members decided to drop out and they were looking for a fourth and I knew all, all three of the well, actually I knew all four of the originally founders and Art cooper said God let’s get the guru And So for for those that don’t know Or I’ll remind you I write the PCI guru blog which Is I, I took a lot of heat for calling myself that when I started writing it back in 2009 But really there was nobody around at that time That was willing to answer questions there was a percent degree there was There was a group and, and it the name of the, the lists skips my mind at the moment. I tried to actually buy it when I was at GLADRI in Poland to keep it running and the two guys that I needed to buy it from couldn’t come up with a price and so it died. Sadly it was probably one of the best sources of PCI assessment information around at the time and so with that dying off I started writing a blog because that’s what you did way back then and yeah there’s I mean I probably get a couple thousand hits a week because people just it’s even though it’s as old as it is there are posts out there that are still relevant from 2009 and on that explain people plus it’s just a great source of security information as well so.
Todd Coshow
And is that just PCIGuru .com, Jeff?
Jeff Hall
No, it’s actually PCIGuru .blog.
Todd Coshow
OK, now that, too, will be linked in the episode description below. You’ve seen it all, Jeff. You’ve been around a long time. Talk to me about some of the biggest challenges that you’re seeing in the security and compliance space today.
Jeff Hall
The biggest problem, if you read the media, you’d think is bodies, just getting physical people to do the work. Ben Rothke, one of the Dream Team members, did a great blog post that basically proved out the math just doesn’t work. I don’t think it’s bodies so much as experience and expertise. We do a horrible job in both areas, security and compliance, of recruiting people and then training them into the role. There’s no such thing as a rookie with five years of experience. And yet, you see that all the time in these posts. And you just shake your head and go, what are you people thinking? I’ve recruited and trained people all my life. And so one of the biggest problems, though, in compliance is technical skills. I can take a network administrator or an application developer and turn them into an auditor in probably a month. I cannot conversely take an auditor and teach them the technical. knowledge they need to know in order to go and do a PCI assessment.
Jeff Hall
Sure. And that’s one of the shortcomings of PCI. PCI is very narrow, very focused on protecting cardholder information and that requires a pretty decent level of knowledge of technical subjects. Networking, voice over IP, server configuration, database configuration, you know, a lot of technical skills that if you’ve never done them, how are you going to assess it? How do you know that what you’re being told is accurate? And I actually have my own personal tale. I had been auditing a client. probably three years. And on year four, they had a group of five people from an organization, a consulting arm, that they were all CCIEs. I was a CCNA. And every year I’d interview these people just, I had to take the word for it, but there was just something in the back of my mind. It just didn’t add up. So on year four, I had an ability to get my own CCIE. I didn’t tell them it was CCIE, but I sent him out there to get the low down. And I flat out told them, I’m not comfortable with this. Never have been. I just feel like I’m being told a tale. But I’ve got nothing I can put my finger on to prove it. So he goes out. He’s out there for two and a half hours interviewing these guys, getting demonstrations, etc. Comes back and he says, network’s not segmented. I said, pardon me. He said, yeah, he said, it’s not segmented. He said, basically, at the end of the day, I took him to task. He said all the results they were feeding you was garbage. It was all fake. They were just messing with you because they’re CCIEs and they knew they could. Hmm. And it’s that kind of stuff. Number one, I knew enough to know I was being told a tale. Didn’t know why. Just it didn’t add up and it didn’t feel right. But if you can’t put your finger on the details as to why that feeling exists, what do you do as an auditor? You really do have to accept it because why would anybody want to lie to you? Yep. Well, and I had to actually go and get my own expert in there and find, come to find out that, yeah, I’d been told a fib.
Adam Goslin
Yeah. Well, it’s interesting, it’s interesting, Jeff, coming from the other side of it, you know, being in the, being in the kind of compliance, security compliance consulting arena, helping companies get ready for those, et cetera.
You know, one of the, one of the things that I’ll tell the organizations that I’m working with is, man, you just have it, have everything buttoned up, answer the questions directly, honestly, you know, blah, blah, blah. I, the, the last thing, and this is kind of like you, right? You’re sitting there thinking for three, four years about, man, there’s something doesn’t smell right. You know, I, I, I’ll tell, I’ll tell these feel I’m like. The, the assessors they’ve been they’ve been there they can they can smell it coming a mile off if there’s some type of you Know if there’s some bullshit in the air, they’re gonna they’re gonna sniff it out You know I said so just you know You need to you just need to you know need to be truthful and, and be open and you know and all this fun stuff And everything will be fine.
Don’t worry. Don’t worry about it But you know don’t let them get a sniff of something’s over a rye Because then they’ll grab on to that and it’ll nag away at them and they’ll eventually get to the bottom of it Indeed, but
Jeff Hall
but that’s the that is probably the biggest Set of challenges in both topics these days is just getting people up to speed whether it’s security a security tool Whatever it may be or on the compliance side having that Inner intelligence to say I don’t feel right about something and willing to go get the expertise to go back and make sure that everything’s the way you expect it to be and and You know things aren’t Things aren’t wrong Sure.
Todd Coshow
Well that actually leads in nicely to the next kind of question. I wanted to ask is Some of the ways that you’ve found to overcome these challenges Jeff
Jeff Hall
Send people off to training Send them. I’ve sent audit people That are pure audit people off to CCNA training I’ve sent them off to MCs e training in that it Microsoft certified engineer training MSC You know and it’s not cheap I get that but they need that skill they have to have that in order to be more complete about what they’re looking at and it’s not just PCI. I mean I can point to HIPAA and HIPAA high -tech. That standard also requires a certain modicum of expertise. CIS, NIST, I mean a lot of the NIST standards require a certain amount of technical expertise. Not all of them but some of them do. You know the the latest the latest buzzword thanks to PCI running around is crypto agility which has been around in eternity but got real credence the last couple of years because of quantum computing. you know, everybody’s concerned what happens when these quantum computers can break AES -256. And so, you know, it’s, you know, NIST has always said the triple does is anywhere from a year or two to being cracked because of the cloud and all the GPUs that can be tossed at it. And they’ve cracked it to, what is it, 128 bits. The 164 is still good. But all the other triple does algorithm bit strengths have been broken, thanks to Amazon, Google and, and Azure and GPUs by the thousands. So, you know, everybody, that’s another mystical thing is cryptography. Most people don’t understand it, not that they have to understand it, but there are things you have to do in order to make it work so that it’s uncrackable.
Todd Coshow
That’s a good shout. You know, as, as we transition here, I want to, I want to ask a little bit of a self -serving question, I’m not going to lie about it. We heard, Jeff, that there’s a reference in the new book, the TCT portal. We saw a direct reference in your December PCI guru blog. And honestly, it’s been incredible. Talk to the listeners about your experience with the TCT portal.
Jeff Hall
So I’ve been, God, I’ve been using the portal for five years, no more than that, probably six and a half, seven years now. Oh, wow. Um, ran across it at a an employer after I, I left another company, and took a look at it and went, Wow, this is actually kind of handy. Um, well, having, having done rocks manually, you know, any sort of like, you know, it’s like it’s like going from a person buggy to a to a 68 Chevelle. Okay. It’s like, Oh, wow. It’s kind of nice not having to sit behind a horse. Um, so you know, and it’s, it’s gotten better over the years, you know, one of the one of the things that I always tell people when they ask me about TCT is the fact that you know I can reach out and say hey you know it’d be really, really nice if it would do X and you guys will come back and say well we can’t really do X but we could do Y well that’ll get me most of the way there okay that’s cool or in most cases it’s oh yeah that is a good idea and so two three down the road all of a sudden wow okay cool that’s there now um but the, the you know I’ve looked at a lot of other tools and, and one of the things that about other tools is they’re really, really cool and they’re really, really nice but they also come with a price tag that a consulting firm just can’t justify sure you know the price point and then when you roll that in your projects and you go yeah clients aren’t gonna pay for that I don’t think they care what it looks like and how good they think it feels but yeah they’re just not gonna pay for it and so there are very, very few options sitting out there that we really have there are a lot of options for the internal companies that are doing their thing but there are very, very few options for the QSAC sitting out there to use never mind the fact I mean in my case I run a GRC practice so we do PCI we do quite a few PCI engagements but we also do SOC2 prep we do HIPAA high -tech prep we just did an engagement NYCRR 500, and lo and behold, wow, TCT’s got a template. Cool. Great. And so as a result, we also do CIS controls assessments. I need all of those. And a lot of the tools are focused on PCI or focused on ISO 27k, or some standard, they might have one other one in there.And I need them all. And so that’s one of the that’s probably the biggest selling point at TCT is I have all those and I don’t have to worry about having multiple tool sets in order to get my team to get their work done.
Todd Coshow
That’s fantastic. Now, as you’re thinking about the TCT portal in relation to… TCIV4 specifically, is there anything that you’ve noticed about the new version of the standard that the TCT portal makes significantly better than doing it manually?
Jeff Hall
Well, you should have had coupon. Because he’s been bemoaning to me for the last three weeks. He’s doing a version four rock by hand. Oh no. And he’s, yeah, he’s had enough of it.
Todd Coshow
This is Coop’s official welcome to Compliance Unfiltered when whenever he is so inclined, he’s gonna join us tonight.
Jeff Hall
I hate to tell you this, but his company really only does PCI engagements and he went with a different tool. Yeah. But he knows of you because he’s looked at it. I know he kicked the tires on it, but he didn’t, all he does is PCI and they wanted a tool that just did PCI and so they went with a competitor, but they still don’t have it implemented yet, so.
Todd Coshow
I’ve learned in this life, Jeff, that most of the time you give it to people. So, you know, as we’re turning the corner on this here, tell the folks where they can find you, how to get a hold of you.
Jeff Hall
Once again, where to find the book. So the book again is at Amazon. And we’d appreciate it if you buy it. We get a few cents out of every copy. I can be reached at PCIguru@gmail .com. You can also send stuff to us at PCIguru .com. to PCIdreamteam@gmail .com if you want the whole dream team to weigh in on something because as everybody’s well aware you got multiple QSAs you usually get multiple answers although usually pretty much all singing from the same sure, sure parting shots and thoughts for the folks this week Adam
Adam Goslin
well I just appreciate I appreciate having the opportunity to have the chat with, with Jeff, you know, kind of hearing about, hearing about his story, you know, being able to learn from, you know, learn from your, your wealth of knowledge and experience in the space, you know, has been, has been awesome. You know, we have, we have certainly appreciated having you on, having you on compliance, unfiltered, you know, and, and just wanted to thank, thank Jeff for, you know, for kind of coming along and coming along and sharing with the, with the Compliance Unfiltered audience. We, we really appreciate it. When we post up the blog, we’ll include a number of the links in the show description for listeners to contact Jeff for reaching the PCI Guru pages and where to find the book.
Adam Goslin
So just in summary, Jeff, thank you very much for joining us today on Compliance Unfiltered. We really appreciate it.
Todd Coshow
That right there. That’s the good stuff. Okay, Jeff, I see you still on here. Yeah.
Adam Goslin
Let’s go ahead and get back onto the audio of the, of the teams and I’ll, I’ll join there in just one second. All right. Cool. Well, that’s all the time we have for this episode of Compliance Unfiltered.
Todd Coshow
I’m Todd Coshow And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
