This is probably validation of the effectiveness, the evolution of the standards being shown in the balance that there's not one particular pain point in achieving compliance.
director of security solutionsCisco Systems, Inc.
PCI is a top-of-mind business issue and is a budget driver for security and network projects, said Fred Kost, director of security solutions at Cisco. The survey found slight increases in spending for security in 2011. Of those surveyed, 60% said their five-year spending on PCI compliance was between $100,000 to more than $1 million.
"A majority of organizations really believe they are more secure if they pursue PCI, and really felt that it is necessary to protect data," Kost said. "There is a feeling of real benefit here versus something that has been imposed upon them."
Survey respondents said their top concern was educating employees on the proper handling of cardholder data. Forty-three percent suggested that end-user education was an issue in their organization.
Security experts have been debating the usefulness of security awareness training, but nearly all agree that over time, short security awareness training classes can be an effective way of reducing some data loss. Robert Cheyne, founder and CEO of SafeLight Security Advisors, a Providence, R.I.-based security training company, said a successful security education program must be led by a person of authority. Classes should be short and focused, he said.
In addition, the Cisco survey found other issues increasing the burden of compliance. Updating legacy systems was cited by 32% of respondents. Of the 12 PCI requirements, tracking and monitoring all access to network resources and cardholder data (37%), developing and maintaining secure systems and applications (32%), and protecting stored cardholder data (30%) cause the most issues for achieving or maintaining compliance.
"I would have expected one of these 12 requirements posing the biggest challenge, but instead it was the user education causing the biggest issue," said Cisco's Kost. "This is probably validation of the effectiveness, the evolution of the standards being shown in the balance that there's not one particular pain point in achieving compliance."
Of those security professionals surveyed by Cisco, 85% said they would pass a PCI assessment and 78% said they passed their previous initial assessment. But the survey also found that many organizations are adopting technologies in advance of PCI Security Standard Council directives.
More than half (57%) of respondents were satisfied with their current virtualization security posture. But some respondents (36%) acknowledged the need to increase the number of virtual security appliances to meet the latest PCI DSS changes. Another 30% said they need to harden their virtualization software and plan to do so using guidance issued by the PCI Council.
"I think organizations are at least thinking about virtualization security and what they need to do," Kost said. "It's an emerging area and sometimes we find that what concerns people the most with virtualization security is what they don't know."
Cisco also found that 60% were using wireless IPS devices to detect rogue wireless access. In addition, 60% of survey respondents said they were using point-to-point encryption to protect card holder data.