Check the Box
“There’s over 300 requirements on this standard…”
This is going to take awhile, someone put on some coffee.
Evidence submission for PCI compliance is never a fun time, both for the organization facing the assessment, and frankly for the assessor. I was in the PCI assessment space for all of about 18 months before I got tired of the paperwork, constant battles for what constitutes evidence, back and forth meetings for basic clarification that frankly could be rolled into the artifacts for submission. On the organization side of things, gathering, reviewing, and submitting the evidence was a feat unto itself. This process is the reality for many companies having to attest to various audit frameworks, and those who have to assess that evidence. There has to be a better way, someone please stop the madness.
Letters to the Auditor
Having spent time on both sides of this part of the industry, I learned quickly between the letter and the spirit of the law; but most importantly I learned how evidence needed to be presented to satisfy both the letter and spirit. These are important concepts not often taught until you’re actually in the PCI training. Even in the PCI training itself you tend to spend more time reading the standard rather than learning how the assessment takes place, so any shortcuts that make things easier for each side goes a long way in the relationship aspect of the work.
“I have one month of material and three months to deliver it, time to get creative”
During a PCI course I came to the realization there wasn’t enough material to fill a whole semester. That’s a tough sell especially at a bad time slot, so I needed a way to get some information across that was relevant to industry expectations, in a way that wasn’t as boring or tedious as traditional governance training.
I’ll need enough D20’s for everyone
I knew the correct solution to the requirements was something game like, and the concept of a Dungeons & Dragons style TTX adventure isn’t entirely novel, but I made some adjustments to align with the outcomes I needed. Instead of specific people playing roles inside a business, there were teams with shared abilities that moved the incident along. There were single students assigned to CEO and CISO roles within the game who had strategic level capabilities to help the incident in various stages. Compliance also had a team since the goal was to teach how incidents and compliance have overlap.
I didn’t have a lot laid out in formal fashion, since I wanted the experience to transpire organically which meant elements of randomness and improvisation would be necessary to keep things interesting, while allowing me to steer the direction of the incident and underlying teaching. Armed with a bag full of D20 dice, a loose agenda of at the very least teaching the six phases of incident response, and a strong background of standup comedy a new lesson plan emerged.
How could we as a business prevent this next time?
While this was a mock incident inside a fictional e-commerce company, it didn’t take long for my students to ask questions I would expect from the C-suite in similar situations. This led to a fruitful discussion about security program development, how compliance attestations can help that effort, common pitfalls in incident handling, and incident impact. This was especially surprising since the majority of the students had not spent any time within a corporate security program.
Achievement Unlocked, Learning In The Dark
Within a two-hour time frame typically reserved for happy hour or dinner reservations before a show, 30+ students received a thorough lesson covering incident handling & response, business layer impact, security program gap identification, and we managed to have no shortage of laughter about the in-game accidents along the way. The session was accessible to everyone, so while I encouraged everyone to feel free to speak up and ask questions, some preferred to watch and listen. There was no struggle to get people engaged in the process and the game became a frequent request for the remainder of the semester.
The best part of this, we managed to cover how a PCI program and a security program intertwine, and more importantly how an incident in the business can impact compliance if controls aren’t properly managed.