Troy Leach, CTO, PCI Security Standards Council - Headlines Industry Session at ControlCase Conference
Leach and ControlCase CEO hosted a discussion on "Assessing the Effectiveness of Your PCI Program."
(left to right) Kishor Vaswani, CEO – ControlCase, and Troy Leach, CTO – PCI Security Standards Council, at the ControlCase Annual Conference themed "Cloud and Mobile Payment Compliance."
ControlCase, a leading global provider of Compliance as a Service (CaaS), Certifications, and IT Governance, Risk and Compliance (GRC) software recently held their Annual User Group Conference at the Willard Hotel in Washington, DC, USA. This year's event, themed "Cloud and Mobile Payment Compliance," attracted professionals working in the areas of IT Governance, Risk and Compliance from banks, merchants and service providers around the world. Conference speakers included senior executives from ControlCase, the PCI Council, Société Générale, FedEX Services, Intersections, Bryan Cave and HITRUST.
A key highlight of the conference was an open discussion facilitated by Kishor Vaswani, CEO - ControlCase, and Troy Leach, CTO - PCI Security Standards Council. This discussion focused on how companies can measure the effectiveness of their PCI programs and also identified ways to evaluate the return on investment for PCI Compliance, considering efficiencies and risk reduction for organizational compliance.
During the discussion, Troy Leach offered some guiding principles for PCI DSS. According to Leach, "Instead of focusing on negative numbers, such as cost, security professionals should demonstrate improvements in security posture and other efficiencies that benefit the company."
"ControlCase events provide a platform for organizations to share best practices for making security a key part of overall business planning and a main focus in the education and training of staff," said Vaswani.
Key takeaways from the discussion with Leach and Vaswani included:
Reduce the attack surface - Organizations should re-evaluate legacy business process and reduce unnecessary storage and access to cardholder data.
Continuous Awareness & Protection - From the minimal footprint of data that remains, exercise due diligence and continuous monitoring of PCI DSS requirements that protect with a defense in depth approach.
Prevention of new types of exposure - Changing business environments and processes may present new types of exposure as will the evolution of malware and other threats.
Measure success and identify opportunities for improvement - Only by measuring the improvement of an organizations' security posture, can security professionals truly know the effectiveness of their efforts and how they can improve. Effectively communicating these metrics across the organization should be a cornerstone of business planning.