Not even a third of the global organizations could fully meet the requirements of PCI DSS (Payment Card Industry Data Security Standard) , which is a worrying development – what does this mean in concrete terms for consumers?
– The ongoing lack in payment compliance is a worrying trend. Consumers trust the brands they buy from and trust in the systems they use – lack of compliance can mean that their personal data is vulnerable to criminals. Payment data remains one of the most sought after and lucrative targets by cybercriminals with 9 out of 10 data breaches being financially motivated, as highlighted by the recent Verizon Business 2020 Data Breach Investigations Report (2020 DBIR). Within the retail sector alone, 99 percent of security incidents analyzed by the 2020 DBIR were focused on acquiring payment data for criminal use.
The recent coronavirus pandemic has driven consumers away from the traditional use of cash to contactless methods of payment with payment cards as well as mobile devices. This has generated more electronic payment data and consumers trust businesses to safeguard their information. Payment security has to be seen as an on-going business priority by all companies that handle any payment data, they have a fundamental responsibility to their customers, suppliers and consumers.
The decline in how companies have lived up to the security requirements is also worrying. Why do the numbers look like they do? What is your analysis of this issue?
– We see the same issues behind the lack of compliance across every requirement including security.
Over the past few years we have highlighted that the main reasons of this decline were the lack of sustainability of the security controls, the lack of Proficiency of the available resources. Last year we also pointed out that too many companies see payment security as an add-on to other projects instead of prioritising it as a global program.
However this year we point to the lack of Leadership engagement – which is a major issue. The responsibility to plan, design, execute and support data security resides with many people, not just the CISO. Long-term development of sustainable control effectiveness lacks priority and focus. Without this long-term strategy, companies are deemed to fail.
How can we make the trend break? And what will we see if we do not get a trend break? What is the worst-case scenario?
– In order to break the trend the answer doesn’t lie with more technology; it lies with people, priorities and processes. Data security is a process that requires long-term attention to strategic initiatives and commitment from senior management.
In addition there are five elements make up a high performance data security compliance management environment:
1. Security business model (SBM): An overarching model that ties all the elements together to obtain business support for security strategy. This model defines the objectives and how core processes are structured to deliver maximum value—and supports how the organization’s models, frameworks and programs are aligned.
2. Security strategy: The security business model is then translated into a strategy. The strategy is mainly concerned with determining the careful selection and prioritization of the security and compliance approach and objectives, and ultimately guides the allocation of scarce resources. The security strategy must be aligned with a business model. It won’t define the “how to.” Today, only a small number of CISOs are successful in aligning the cybersecurity function with their organizational strategy.
3. Security operating model (SOM): The strategy is supported by the security operating model, and concerned with the alignment of resources and processes. The operating model represents how value is created by an organization— and by whom within the organization. The operating model must be aligned with your strategy, or there will be poor execution and an uphill battle to deliver results.
4. Security frameworks: CISOs are finding it difficult to align their security frameworks with the organization’s mission. The correct selection and application of frameworks should move organizations away from being too technically focused. Frameworks provide structure. They can be thought of as the skeletal system upon which the body of a sound program can be built. Generally, frameworks are operational in nature and provide a detailed description of how to implement, create or manage a program or process. Frameworks are typically principles-based and open to continuous improvement. As a result, frameworks usually rely on subsidiary standards to “make it happen.”
5. Security programs and projects: The operating model is supported by the security program. The program delivers outcomes by managing a collection of projects, where the achievement of long-term objectives can only be realized when it’s collectively managed as a program. From a governance perspective, there are six major outcomes that the security program should work to achieve. These are: Strategic alignment; Risk management; Value delivery; Resource management; Performance management and Assurance process integration. The intent of a data security compliance management program is to design and execute a governance framework and maintain control over the program activities for extended periods of time. This provides the best possible chance to succeed in achieving the stated objectives with the available resources.