My colleague and I both zeroed in on the “Verizon® 2011 Payment Card Industry Compliance Report: A Study Conducted by the Verizon PCI and RISK Intelligence Teams”, written by the Verizon Wireless PCI and RISK Intelligence Teams (the “Verizon Report”) (PDF link). The Verizon Report reviewed over 100 assessments done in 2010 by Verizon’s Investigative Response group.

To cut to the chase, the report confirms what we all know, that security is hard.  A very good indicator of security readiness, PCI compliance, is a complex, continuous and evolving process.  The report goes on to state that businesses aren't getting much better at PCI standards year-to-year.

Highlights of the study include:

  • 79% of businesses assessed initially failed compliance
  • Organizations struggled most with protecting data at rest (Requirement 3); tracking and monitoring (Requirement 10); regularly testing (Requirement 11); and maintaining security policies (Requirement 12)
  • Only 11% of those companies that initially failed compliance actually passed the requirement for monitoring access to network resources (Requirement 10)

Some of the conclusions of the study are: 

    • Real world demands and fatigue can get in the way of compliance. Specifically, the study says "When faced with the choice of where to place their energies, many people will choose to just get things done rather than worrying about the 'right way' or the 'compliant way'"
    • Compliance is a dynamic process and not a point-in-time event” – it takes effort to maintain compliance as things change 
    • Security and, by extension, compliance, are still considered to be a drag on the economy by most businesses rather than an assumed part of the risk of doing business.” – businesses that saw security as a continuous, valuable process worth investing in were more successful when it came to compliance, too
    • Organizations that suffered data breaches were much less likely to be compliant than a normal population of PCI clients. Verizon combined results of the PCIR and the Data Breach Investigation Report (DBIR) to find PCI clients scored better than breach victims by a 50% margin

    This got us wondering… why are so few businesses able to comply with requirements when there are a number of easy to use and affordable solutions available to help?  Are they simply not real pain points that network engineers feel?  Are they not understood? Is proactive compliance viewed as too expensive?  Or, is it that they simply don’t have the time to implement?

    All too often, compliance is something you think of at audit time, when you have to prove that everything is in order. A tremendous amount of time and effort goes into prep work.  With the right systems in place, compliance can be automated, and automating is critical to making it manageable. The key is that compliance becomes integrated into doing business, rather than a sprint you prep for around audit time.

    The study cited “failure or inability to invest in a capable automated tool” along with “not maintaining security procedures to trigger a response to an exception report” as two key issues in this area. SolarWinds offers two very powerful, yet easy-to-use, affordable products that automate many of the processes and reports required to achieve PCI compliance. 

    SolarWinds® Network Configuration Manager (NCM) enables users to ensure that network device configurations comply with both internal and external regulations and standards such as PCI.  NCM’s policy reporter helps automate the policy compliance process by identifying devices with configuration violations and those that could be accessed by unauthorized users, pose a security risk, or do not meet configuration standards. Check out our NCM product page for more information.

    SolarWinds Log & Event Manager (LEM) has been developed to meet security and log management requirements; quickly identify attacks, highlight threats, and uncover policy violations; respond to events and shut down threats immediately with automated actions; and produce the results you need to prove compliance.   For more information on Log & Event Manager, check out our Log & Event Manager site.

    This is the first part of a multi-series blog.  Stay tuned for more information on both SolarWinds Network Configuration Manager and Log & Event Manager and how they specifically address compliance needs.

    Brad Hale, the product marketing manager for SolarWinds network management products, is a 25 year veteran of technology product management, marketing and business development where he has worked across numerous vertical market segments within the software, hardware and systems industries. 

    [ED. NOTE: The post above was co-authored by Nicole Pauls. Nicole is a director of product management at SolarWinds and is primarily responsible for wrangling log and event data into a meaningful IT tool via SolarWinds Log & Event Manager. Product Manager during the week and Ironman triathlete on the weekends, she somehow finds time to comment on industry trends, too. The post also references the copyrighted work, “Verizon® 2011 Payment Card Industry Compliance Report: A Study Conducted by the Verizon PCI and RISK Intelligence Teams," written by the Verizon Wireless PCI and RISK Intelligence Teams (the “Verizon Report”).]