The Payment Transformation
October 16, 2018
·
By
J.R. Cunningham
·
Since the dawn of transactions between humans, the physical point of the transaction has served as a key instrument in the prevention of fraud, financial theft and mistakes. Letters were sealed by their senders with wax and an impression that was unique to them, ancient Roman tax collectors would carefully examine coins to ensure they weren’t fakes and cattle ranchers would brand their cattle with hot irons to prove ownership. Even the relatively modern (in the scheme of things) cash register of the early 1900’s would have a marble slab for coins that would enable the merchant to drop the coin onto the slab and determine, by sound, if the coin was real.
Continue reading
Caught Between a ROC and a Hard Place
October 9, 2018
·
By
J.R. Cunningham
·
It’s important to understand the perspective of both the business and the security leader. Merchants invest heavily in PCI compliance and it’s money well spent. However, they continue to struggle with prioritizing, implementing and supporting vital payment security programs. The business perspective is that PCI compliance is a necessary evil, both because non-compliance risks increase credit card transaction fees from the acquirer, and because it’s perceived to be one of those “have to” regulatory requirements such as the Sarbanes-Oxley Act (SOX), Health Information Technology for Economic and Clinical Health Act (HITECH), or Federal Information Security Management Act (FISMA) (even though, frankly, it’s not).
Continue reading
Inside and Outside the Cardholder Data Environment
October 4, 2018
·
By
J.R. Cunningham
·
Businesses have spent an enormous amount of money on PCI compliance. It is time to leverage these existing investments and expand them to include payment security. Therefore, it’s important to find the common ground where PCI compliance and payment security can benefit one another. The quickest way for cyber security professionals to get thrown out of the board room is to say, “Remember that PCI thing? Well, scratch that, we need funding for a whole new security approach.”
Continue reading
Data is the New Currency
September 26, 2018
·
By
J.R. Cunningham
·
In today’s digital world, data is currency. Nowhere does this phenomenon show itself more clearly than in the world of payment transactions. Payment forms have taken a variety of identities from mobile pay, cryptocurrency, stored transactions, in-app transactions, money transfer apps, etc. And, yes, credit cards are still used, albeit with a few new features such as chip and pin number.
Continue reading
Part 2: Frameworks in Context: The Business-Aligned Information Security Program and Control Frameworks
March 8, 2018
·
By
J.R. Cunningham
·
In part 1 of this series, we provided insights responding to the frequent question regarding control frameworks and their place in the security strategy. During hundreds of strategy, risk and compliance engagements, we have seen that security programs (of different levels of maturity) are most successful when they participate in regular tune-ups to keep up with the business. In this installment, we will discuss the “how”—understanding the business, the role of the threat, current steps and the best way to approach the gaps, which doesn’t necessarily mean filling them.
Continue reading
Part 1: Frameworks in Context: The Business-Aligned Information Security Program and Control Frameworks
February 28, 2018
·
By
J.R. Cunningham
·
During hundreds of strategy, risk and compliance engagements, Optiv’s consultants often have been asked very thoughtful and deep questions about control frameworks and standards by our clients. Such topics often center on which of these frameworks and standards are most appropriate for a particular organization, which specific controls are most important, and in what order and to what depth an organization should pursue maturity with a particular set of controls. In this two-part blog series, I’d like to share some field observations on this topic gathered by Optiv’s strategy, risk and compliance teams.
Continue reading
The GDPR 90-Day Countdown is On! (No Need to Freak Out)
February 26, 2018
·
By
J.R. Cunningham
·
May 25, 2018 is a day that many organizations have (or should have) marked on their calendars as a game-changing moment for their business. That’s the “go-live” date for the European Union’s General Data Protection Regulation (GDPR). As I previously wrote, this truly is a groundbreaking piece of legislation that should be taken very seriously. And if you read the countless GDPR-related research reports and surveys, it’s clear that few (if any) US companies impacted by the regulation will be fully compliant in the next 90 days.
Continue reading
Want to be a Great Security Leader? You Need a Great Lawyer
December 7, 2017
·
By
J.R. Cunningham
·
Information security continues to evolve as a profession, and this is certainly evident in the role that legislation, privacy, third-party risk and incident management play in the daily life of the information security leader. More often, as I meet with clients to discuss security strategy and risk, security leaders are struggling with the myriad of compliance requirements, various state and national privacy laws, and their relationship with the information security program.
Continue reading
GDPR Part 3: GDPR and the Information Security Program
November 7, 2017
·
By
J.R. Cunningham
·
In this third and final part of the series, we’ll spend some time bringing GDPR and its various requirements back into the information security program in an effort to identify areas where GDPR compliance may become a side-effect of a business-aligned, risk-based, data-centric and threat-aware information security program.
Continue reading
GDPR Part 2: The Six Information Security Pillars
October 31, 2017
·
By
J.R. Cunningham
·
In this second part of the series, we will discuss Optiv’s Six Information Security Pillars for GDPR compliance. For the information security professional, these six pillars will look familiar as standard components of an effective information security program. For this discussion, however, we will be relating these components of the information security program to the various applicable components of the GDPR.
Continue reading
(13 Results)
