Tuesday, December 10, 2013

PCI Events in Nice and Kuala Lumpur – a boondoggle for the CTO or worth going?

comForte has had presence (both technical and sales side) at all three PCI Community meetings this year. The events took place in

Here are some comments from myself, Thomas Burg, the CTO of comForte. As this is a blog, I allow myself to stray off topic here and there.

Executive Summary

One of my favorite quotes in the realms of computer security is by the famous author Bruce Schneier, SECURITY IS A PROCESS, NOT A PRODUCT. I have read this quote more than 10 years ago and it remains as true and important as ever; see below for details. Also in my strong opinion, if you think you can ignore PCI – think again; more on this again below.

The PCI council is continuing in doing a rather excellent job in educating anyone who wants to listen in the merits of becoming PCI compliant . By now, there is a positive sense of a community which is working together for a greater good. If you have never been at any of these events, just go to the next one in your region: if you are interested in PCI, the council meetings are a fantastic place to be in. The events are rather well organized, the locations chosen are nice –  if you are in for a boondoggle or if you want to listen and learn :-) 

On a less positive note, IMHO it is becoming more and more apparent that the PCI Council itself is not funded by the big credit card organizations such as Visa, MC, Amex. To me, that is really a bit of a scandal: the council and the community are working very hard to get good stuff going – and the “big 3” cannot spend US $ 10 Mio/year to fund the council? P-lease! That is pocket change for them. The net result of the Council being a non-profit without funding from the Big 3 is that the money has to be collected otherwise – more on this below.

The strong community

As mentioned earlier, there is a rather strong sense of community. I attend many conferences every year and over time have attended Gartner conferences, RSA, SANS and others. All have different pros and cons – but what strikes me as excellent at the PCI events is that the whole team (paid-for and non-paid-for) are all extremely ‘approachable’. In fact, they will approach you if you don’t approach them. Hats off to Jeremy, Bob and the rest of the team.

It took me a few visits to conferences to figure this one out and I have seen colleagues joining me at conferences not having figured it out yet. Which other conference can you go to, come up with any question (i.e. “how can I find Mr. XYZ?”) and simply ask anyone of the conference team (being it a friendly staff member or the CEO of the Council, Mr. Bob Russo) and get helped?

The strong community also encourages free networking among the participants, which are from roughly four groups: PCI Council, Vendors (like comForte), PCI Auditors/Assessors, Companies falling under PCI assessment. Bringing these four groups together for “mingling” is probably the most important thing the council is doing.

Any new trends?

I hope I am not disappointing anyone, but I think the quick answer is “No”. In fact, if you look at the PCI Council starting with PCI 1.0 in 2005 (??) I don’t think there is a lot of news in the goals of the standard or in the way PCI is dealt with.

What has changed and most probably will change in the near or mid-term future: if you think you can ignore PCI – think again. This holds true for Europe and the US – and increasingly so for Asia/Pacific. Let me paraphrase what really is the message the PCI Council and the PCI standard are preaching: SECURITY IS A PROCESS, NOT A PRODUCT.

Once you understand this, and if - and only if - you are understanding that good security does not come cheap – the rest follows easy…

Of course there are some details, but I will reserve these for a (potential) later blog.

So: Is it worth going for comForte or is it a boondoggle for the CTO?

To be honest, I don’t do boondoggles – at least not on purpose J That said, it is increasingly questionable whether the expenses connected with …

  • Being a council member
  • Going to the meetings
  • Having a booth
  • Becoming certified
  • Training for certification (mandatory for some certifications! That is a FIRST – and I have looked at a lot of certifications. I find that highly objectionable – if you know the stuff why pay for training?)
… are worth what they individually cost. There is ‘completion’ out there: RSA, ISC2, IASA, SANS free events: there is a whole ecosystem of companies, event organizations, non-profit organizations which all want to make the computing world more secure.

Personally, as the CTO, I think we should have technical representation at each event – if nothing else because you meet smart and friendly people there. Whether we continue to invest as heavily in marketing activities is (fortunately) not my decision.

Please comment

I welcome comments, please use the “comment section” on the blog page or send me an e-mail at t.burg@comforte.com  or contact me via LinkedIn http://de.linkedin.com/in/thomasburg66 or join the discussion I will start very soon in the LinkedIn group HP NonStop [Tandem] security .

No comments:

Post a Comment