As a former customer, nothing frustrated me more than the stack of papers. You know the ones I’m talking about. An assessment ends and there are pages upon pages of findings. Where do I start?
I’ve long since adopted a simple roadmap technique. But before we get there, let’s begin with the findings themselves. Here’s the roadmap to the roadmap: findings, recommendations, themes, and the roadmap.
Findings are what they are. PCI DSS has twelve requirements and hundreds of specific controls. Either an organization is meeting the control or it isn’t. Satisfying the control is often more than simply having the technology configured, it also includes having it documented, having people trained, maintaining a program for updates, and more. Having evaluated the control, we can say it is in place, partially in place (perhaps documented without training), or fully in place. It’s common to have a finding for every absent or partial control. That’s often a lot.
The next step is to have recommendations. A good recommendation reflects the organization’s culture, technology investments, staffing, and current initiatives. A good recommendation is actionable. Good is practical. Good is reasonable. Moreover, the art to recommended actions is identifying actions that, if taken, would address several findings. For example, improvements to the monitoring program that addresses several specific tactical PCI DSS requirements.
With themes, we shift from the tactical to the strategic. As findings to recommendations have a many to one relationship, so too does recommendations to themes. Moreover, the themes can and should reflect the ongoing organization’s strategy, values, and culture. The organization may tout “quality is job number one,” for example, and therefore the theme would be “quality in software development”. This quality development theme would then contain the recommendations for segregation of duties, test data, secure coding guidelines, and so on, in support of the PCI DSS initiative.
With the themes defined and aligned with the organization, it is time to create the roadmap. What is the timing for each of these initiatives? What are the high-level estimates for effort and resources? This takes further conversation and analysis, of course. The trick is to partner up the themes with other organizational initiatives. A new software application, for instance, may be a good proving ground for “quality in software development”. And once established, it may become a center of excellence for other development initiatives to follow. In this way, the PCI DSS program can be planned and advanced along with other areas of the organization.
And finally, remember the roadmap is not the terrain. Things change. Priorities shift. As we execute on the plan, it’s important to update it regularly and routinely to reflect what we learn along the way.