PCI Awareness Training Series, Part 2: From the Top

The PCI SSC publication—Best Practices for Implementing a Security Awareness Program—identified three broad aspects of a successful PCI awareness program. We addressed the first two in Part I of this series. The third, building and reinforcing the organization’s business culture, is the subject of today’s post.
Let’s get right to it. No question, business culture begins with the tone at the top. Security awareness expert Dr. Kenneth Knapp sums up the importance of that tone this way: “An organization’s overall security health can be accurately predicted by asking a single question: Does top management consider security important? If they do not, it is unlikely the rest of the organization will, either.”
Joining Knapp in this sentiment is Dr. Larry Ponemon, who continually stresses executive support as the most critical information security issue for organizations to address—and that goes for PCI security awareness, as well. The point cannot be overstated.
Remember that the goal is to transform the new knowledge acquired in PCI awareness training into habitual practice, which is, of course, the essence of culture. Or, as the PCI standards people put it, a new way of doing “business as usual.” And that goes far beyond mere compliance. But as we saw in Part I, once the initial policy-setting PCI activities are completed, organizations routinely fall down, defaulting to the old business-as-usual behaviors. And that, sadly, not only misses the point completely, it is entirely a function of the failure of the executive management.
The PCI standards group’s objective is to help organizations focus on security, not just compliance. By making payment security business-as-usual, they mean information security must be instilled as a habit of practical, measurable security mindfulness that ultimately becomes an attribute of the organization itself. Only when the right set of habits are established can an organization sustain a meaningful level of compliance. And that takes management elevating security as a top organizational priority.
But here’s another reason for top management to pay attention: A security-oriented culture makes good financial sense. Breaches are expensive on several levels, but let’s look at just the direct costs. Industry observer Chris Camejo noted, “Current estimates of the cost of a breach run between $200 and $300 per compromised card, which would mean Target would be looking at as much as $8 billion on the low end.” PCI training—actually mandated by the standard—will not only position your organization to avoid or mitigate such breaches, but work to boost your trustworthiness overall, yielding greater loyalty and profitability in the bargain. It’s a double win.
Once again, a change in the corporate culture requires a change in the organization’s habits; a change in habits requires training and reinforcement. And for any of that to happen, management must lead.
In our next installment, moving beyond management’s essential role, we’ll cover the ways training must be tuned specifically for the various other roles within the organization, as one size definitely does not fit all.

Share this Post