Check out the ‘Great PCI Security Debate of 2010’ podcast pieces. Part 1 is hosted at CSOOnline. Part 2 is hosted at the Network Security Podcast. Everyone is quote-irific. Everyone has great points and I find myself agreeing with most (but not all) of what every person is saying, which itself indicates the challenges we have in security. It is not about finding the ultimate answer to the universe and everything, but rather still a very subjective view on what you’d think is a very objective discipline (IT).
Josh Corman early on had some great quotes:
“What a strange twist of fate that we now fear the auditor more than the attacker.”
“We’ve reached a level of completely unacceptable and unsustainable cost and complexity.”
And Jack Daniel:
“There are a lot of people just trying to get past [PCI].”
“Their [network admins and systems admins] goal is for the network to work and the systems to work, and that’s what they’re judged on. That means getting PCI out the door.” <--this reminds me of the paradigm difference between security in the trenches and security in the exec rooms. It also reminds me of Rybolov's Infosec Mgmt graphic. It might also exemplify the difference in perspective between macroscopic (global/universal) and microscopic (1 network) security…