I have seen the enemy, and it is me.
I recently attended a training class for certification as a payment card assessor. I came away from that training session with quite a bit more than just the 3-letter acronym for the certification, and I wanted to share some insights and opinions (of course).
- First, let me say that the course was atrocious. Horrible. Here’s why: the instructor. Not the material, per se (although there is a lot of room for improvement), but the instructor and his teaching style. He had no style. He was dry, he was stumped on questions at least 10 times per day, and he offered no real-world examples or concrete guidance that attendees could truly benefit from.
- The guidance overall was very literal in some areas, but usually vague. So assessors leaving this class are not getting a lot of “lessons learned” or “here is the best way to do this or look at this” kind of advice.
- The range of backgrounds and skill sets in the class were as varied as I’ve ever seen. This could be viewed as a positive OR a negative, depending on your perspective, but the frightening thing was the very obvious lack of knowledge some folks had, and some of the questions asked were flat out stupid. Yes, I said it, and I mean to be a bit derogatory. If you are asking some of the questions I heard in this class, you need to be studying up for Security+ at best.
- The test was easy. Really easy.
What’s the take away? Well, I have some thoughts, maybe a little advice. Here goes.
First, we really need to start interviewing payment card assessors.
Ask for resumes. Do an actual interview. Ask about real experience with the same technologies in use within the organization. If you don’t like someone, or don’t feel they are a good fit, ASK FOR SOMEONE ELSE or TALK TO A DIFFERENT CONSULTING FIRM! Why is this hard?!
Second, do not let a non-technical manager do the interview or make the call alone. In fact, as some of you know, I am not a fan of “GRC fanboys” running security teams in general, as they tend to be full of shit. “governance blah blah blah” and “controls blah blah blah” do not a true security architecture make. I have about had it with folks who hide behind “frameworks” and paperwork. If the audit team or compliance team makes the decision (and they tend to be a little less technical overall), ensure technical folks are involved to help call BS on would-be assessors who roll buzzword-style.
Third, ask for samples.
Although no one is going to share a formal compliance report with you, some examples of audit reports and writing should be available for assessors and consulting firms. IF they won’t provide this, just move on. Don’t waste your time.
The term “enemy” is probably a little strong. However, there is really almost no standardization here. You’re on your own to validate someone’s credentials, and it is obvious to me that consulting firms are hiring some very “green” or less experienced people to do this work. Don’t fall victim to these people, as they can have a huge impact on your business and compliance programs.
A final note: One class attendee, who can only be described as a douchebag, actually described himself as a “Master Security Architect”. If you have any desire to get respect from your peers, or maintain the semblance of a social life, do not ever refer to yourself as a “Master Security Architect”. Gawd.