I’ve been feeling firsthand the pain of implementing PCI in an SMB for the past 6-odd months. It’s not all that fun in some regards (implementing on-going security in an environment that doesn’t have the time for those tasks). So I try to read opinions on PCI any time I see some.
To paraphrase Tom Hank’s character in ‘A League of Their Own’, “There’s a reason security is hard. If it wasn’t hard, everyone would do it.”
Truth. I think it gets even harder the more you avoid having qualified staff add to your security value. You want to automate everything for the checkboxes? You’ll end up spending more and getting less in return, even if you do fill in the checkboxes.
This could lead into the other two articles about pen testing. I am a proponent of pen testing as a necessary piece to a security plan for various reasons. But I also think one reason vuln assessments and pen testing get blurred is because of the limited engagements that many third-party pen testers get thrown into, in terms of time and scope. Give a tester 2-5 days for a network-only test and you really are forcing them to rely decently on automated tools more akin to vulnerability assessments. Granted, you get a lot more, but you also get a lot more for having qualified internal staff always thinking from an attacker’s perspective, who can also do longer and more frequent pen-testing types of duties.
In short, it just comes back down to my continued, deeply-held belief that security begins and ends with talented staff. Just like your software products, financial audits, and sales efforts begin and end with staff appropriate to their duties.