Last year, I wrote about the Verizon Payment Security Report saying it was ”Not Just for PCI.” Verizon liked that post enough to include its introduction in this year’s version. This recognition was a wonderful surprise. Like last year’s report, the 2020 publication goes well beyond PCI in its information and recommendations.

While PCI DSS forms the foundation of these reports and informs their content, the guidance is broadly applicable, and they could easily be rebranded as “data security” reports. I hope everyone responsible for data security takes the opportunity to not only read this year’s report but to also download the reports from prior years. Each report builds on the previous foundations, and the 2020 report provides an overall success strategy for CISOs and information security leaders.  

2020’s Theme: Strategy

The 2018 and 2019 reports had decidedly tactical viewpoints, ‘how-to’ guidance describing the nine factors of control effectiveness, the five constraints, and the four lines of assurance. These concepts help build a long-term approach to data security maturity.

In 2020, the focus is on the CISO and using these tools to take a long-term, sustainable approach to data security. That forward-looking vision requires strategy in order to be successful, and strategy is hard work. Fortunately, there is deep and rich guidance in the Payment Security Report (PSR) for both new and experienced cybersecurity strategists.

Rather than go into detail on specific sections of the report, (And there are a lot including strategic management traps, business modeling, and security strategy.) I’ll discuss three main ideas that stood out to me.

Shift from Technology to People

Security teams are having to manage more security solutions all the time.  According to the 2020 PSR, “most organizations manage a multivendor environment with between 20 and 70 different IT security (Read more...)