Few things inspire fear and loathing like regulatory compliance. Josh Seeger, CIO of Tribune Broadcasting, faced a hugely complex task in ensuring the company met the requirements of the Payment Card Industry Data Security Standard. His experience showed that, while compliance can be burdensome, it can also serve as a window into your network's security posture.
PCI compliance can be difficult even for small organizations. How did you go about the process in such a large company? We have a massively distributed organization with dozens of business units. Because the company is so distributed and there are many areas where the use of credit cards is a part of our normal business, we needed to get the most efficient method for complying with PCI. We have a small but highly skilled group of corporate IT specialists, so we needed to find a way to use as little of their time as possible. A lot of the credit card activity is contained within small separated segments of our network infrastructure. Since many other units are involved in those transactions, we needed to find a way to comply.
How much of a burden was it to comply? We have a lot of security infrastructure already, so a lot of the requirements we were already in compliance with. But, we needed to be able to demonstrate that. The priority was having a way to certify our compliance in a formal way. We needed a trusted third party [Qualys] that was certified by the payment card companies to help us do that.
Was there anything you found in the process that surprised you? We're using Qualys as our scanning tool, and it's discovering things in some of the servers on our Internet-facing segments that were classified as vulnerabilities. They weren't serious, but there was potential there. In a 24x7 business such as ours, there are imperatives that keep things running and delay things like patch management. So there were servers that were somewhat behind in their deployment of patches. Having that information allowed us to prioritize those, especially if they contained credit card information.
PCI is fairly stringent, so it does require additional work, but nothing that we wouldn't have wanted to do anyway. I would actually credit PCI with helping us persuade local IT managers to get their stuff in shape.
Is it difficult to look at some of these regulations and say, 'Where is the return on investment for us?' We can't afford to have any doubt that we're doing everything possible to comply with regulations like PCI and Sarbanes-Oxley. We have our external auditors focusing regularly on all of our business units. Internal auditors mirror what they're doing. We're not at a point, and I doubt we ever will be, where we say profit is more important than compliance.
Read the full interview with Josh Seeger at searchsecurity.com/ismag.