About Gene Kim

I've been researching high-performing technology organizations since 1999. I'm the multiple award-winning CTO, Tripwire founder, co-author of The DevOps Handbook, The Phoenix Project, and Visible Ops. I'm an DevOps Researcher, Theory of Constraints Jonah, a certified IS auditor and a rabid UX fan.

I am passionate about IT operations, security and compliance, and how IT organizations successfully transform from "good to great."

SEARCH BLOG
Tuesday
Jun082010

Talk notes: NACD Director Professionalism: Risk Governance

Director Professionalism
Philadelphia, PA
June 8-9, 2010

Course description at at the NACD website here.

Risk Governance

Peter Gleason, Managing Director and CFO, NACD
Director, the Patriot Fund

Interestingly, I just found out after meeting Peter that I'm very familiar with some of his work, "What Boards Needs To Know About Information Security," which Peter headed up as the NACD head of research in 2002.  The visionary behind this was the late Tom Horton, former chairman of NACD.

This talk centered around the NACD Blue Ribbon Commission report, "Risk Governance: Balancing Risk and Reward" report, which can be purchased for $50 at the NACD bookstore here.

I'm a little frustrated, as the information is at a very high-level: like 90K feet.  I'd love some practical examples of how to operationalize this, where people don't waste their time for three years in meeting, without any material change in how the business operates.

Best advice during the talk:

  • On directors and how they should get information from people closer to those doing work.  the more levels down, the better.
    • "at board dinners the night before, don't have dinners with the board: have dinner with people a couple of levels down: ask 'what is like working here?'  You know the C-level folks very well, so get to know the people below that level well."
    • "director education: 'give them a book, and book them a flight to walk the floor at various sites where money is made.  Home Depot example"
  • And analysis of BP risk management is at the bottom of the post.

Notes are below:

 

 

  • "enterprise risk management is just management"
    • Everyone has seen the "COSO Cube"coso cube.jpg
    • So what is the board's role?
    • Had roundtables at many of the 22 chapters
    • resulted in the Blue Ribbon commission "Risk Governance: Balancing Risk and Reward" report. Commission included Oxley, PCAOB staff, etc.
  • Agenda
    • Understanding balance between risk and reward
    • Categorizing risks
    • Roles of board and management
  • Without risk, there is no reward
    • "a car in neutral goes nowhere"
    • Determine risk appetite based on
      • foreseeable risks
      • possible rewards
      • shareholder expectations
      • available capital
      • strategic alternatives
      • acceptable volatility
  • Risk is a team sport
    • only 30% attendees here have primary responsibility to audit committee, down from 60% from last year
    • audit committees are so overburdened that risk needs to be integrated into to full board
    • standing committees support the board
    • if created, risk committees should aggregate/analyze risk
    • notes that "most companies that ended up on the beach in trouble had risk committees", so real question is how to effectively manage risk
  • Categories of risks (spectrum from board to management)
    • Governance risks
    • board-approval risks
    • critical enterprise risks
    • emerging risks and non-traditional risks
    • business-management risks
  • Board responsibilities
    • Understand balance between strategy and risk
    • ensure management has a system to manage risks
      • identify, assess, mitigate, monitor and communicate
    • provide oversight thru committee structure
    • realize the interrelationship of risks
      • "a lot of little yellow flags can add up to a big red flag" -- especially when it's across a lot of divisions
      • "SEC now requires board to discuss role with regard to risk"
  • Create dialogue around three critical areas
    • risk appetite
    • aggregation and integration
      • "often in dialogues with internal auditors, because they're in the trenches and can bubble up information"
      • "certain risks gets folded into comp committee, reporting up into the full board"
      • "are we incenting the wrong behaviors?"
      • Question: "assuming you could quantify risk, are there guidelines of ranges? Say, 3:1 upside/downside?" "that's management's job, bringing in consultants."
    • underlying assumptions in management's strategy
      • have appropriate skepticsm: "what are the other alternatives?"
      • Question: "what does risk look like for non-profits?" -- talked about looking at funding sources. Post-Enron failures, many non-profits failed because funding pool disappeared
      • Question: "I don't like the term 'risk appetite,' because it sounds like a buffet. There are situations where many risks we have no choice but to accept. We all operate in a policy environment. Maybe 'risk or policy climate?'"
  • Management responsibilities
    • Identify and disclose risk to the board
      • focus on material risks
      • implement risk mgmt within strategic plan
      • don't be afraid to bring news
    • Have risks changed since the last board meeting?
    • Ascertain likelihood and significance of risks
    • Who in management "owns" the various risks?
    • Establish key metrics
  • Improving risk communication
    • Map risks to managers
    • map committee oversight responsibilities
    • identify significant non-financial risks
    • educate directors about financially sensitive risks
    • consider overlapping committee memberships/attendance
    • ensure committee is reporting (including minutes) to full board
    • encourage informal discussion among directors
      • "directors should get information from people closer to those doing work.  the more levels down, the better."
      • "how?"
      • "at board dinners the night before, don't have dinners with the board: have dinner with people a couple of levels down: ask 'what is like working here?'  You know the C-level folks very well, so get to know the people below that level well."
      • "director education: 'give them a book, and book them a flight to walk the floor at various sites where money is made.  Home Depot example"
  • Every board should be certain that
    • risk appetite in the business model is appropriate
    • the expected risks are commensurate with the rewards
    • management has implemented a system to manage, monitor and mitigate risks
  • Question: "What should BP have done?" "BP had ten fail-safe mechanisms in a one-mile pipe. That's an execution problem. From a crisis management perspective, clearly there's something wrong -- they didn't think about the mitigation efforts and what happens when something goes wrong. If it doesn't work, then what do we do?"

TODO: get book "Why Great Leaders Don't Take 'Yes' For An Answer: Managing For Conflict and Consensus" by Michael Roberto.

 

Tuesday
Jun082010

Talk: NACD Director Professionalism: Fiduciary Duties of Corporate Boards

Director Professionalism
Philadelphia, PA
June 8-9, 2010

Course description at https://secure.nacdonline.org/source/meetings/meetingshome.cfm?sID=DP

Fiduciary Duties of Corporate Boards

John Gorman
Partner, Luse Gorman
Director, SmartPros Ltd: member Audit and Comp committee

Great presentation by a lawyer, presenting on fiduciary duties of board members.  Lots of great examples of legal cases in this talk.  And explaining liability risks and even covering relevant criminal code (prompting laughter, somewhat nervous?).

(Disclaimer: I'm not a lawyer, so my notes may contain inaccuracies.)

  • Learning objectives
    • basic fiduciary duties as applicable to director service
    • application of the Business Judgement Rule
    • reality of liability from director standpoint
    • impact of U.S. sentencing guidelines (very funny)
  • General principles
    • business affairs of a corporation are managed under the direction of the Board the Directors
      • Citbank has failed 3 times in his career: if board isn't held liable despite all these failures, then boards are truly safe (a good finding for board members)
    • they owe a Duty of Loyalty to Company; and Duty of Care in administration of corporate affairs
    • subsidiary duties
      • duty of "candor" when communicating w/shareholders
      • duty of confidentiality as to board room deliberations
      • duty to disclose conflict of interests or possible conflicts of interests to the board
        • cites example Compaq case where investigation started violating California law, trying to find source of leak, suspected board member
        • cites example of Dow, trying to find board member leak: ended up with defamation lawsuit
  • Discharge duties: in good faith, with the care, an ordinary person in a like position, would exercise under similar circumstances, in a manner he reasonably believed, etc...
  • Duty of loyalty exposure
    • often happens in acquisitions
    • insider on both sides of transaction
    • "interested" when receives personal financial benefit not equally shared by other stockholders
    • "lacks independence" when decisions is based on extraneous considerations or influences
    • Discussion: someone brings up outside board members, especially from shareholders (even controlling), may lacks independence, especially from investment firm
      • Not a problem: director is entitled to shorter-term outlook than others.  Nothing wrong with that. Common goal is to create value for shareholders.
      • Bigger loyalty issue: CEO deciding on exec comp
      • Example: Viacom: Redstone lucrative comp was overturned because independent director found too much lack of independence between board members and CEO; raised doubt that the majority board was really independent.
    • Most common case law contexts
      • derivative litigation: "we want to sue in the name of the company, and the board won't sue themselves."  breach of fiduciary duty, substantial risk of liability; board can create "special litigation committee" to take over lawsuit
        • Discussion: "any shareholder can sue: regardless of number of shares owned"
      • approval of related-party transactions, e.g., compensation decisions
      • majority shareholder buyout of the minority shares
  • Legal standard of independence
    • financial relationships between a director and the company
    • Famous case: 
      • Oracle in 1990s (insiders sold stock, tens/hundreds of millions of dollars): company announces disappointing earnings; shareholder lawsuit sues; majority of board sold stock; hired new outside directors including SEC commissioners to determine whether to sue; $10M+ legal fees; decided we shouldn't sue insiders
        • Plaintiff Bar: found all sorts of trails: Ellison Standford donation; all on Stanford steering committees, endowed chairs
        • Social ties called enough doubt on initial finding
      • Martha Stewart
        • Martha Stewart and Imclone: allegation: she was tipped by CEO, not material to her well-being. SEC went after her for insider training; not guilty, but lied to SEC, so went to jail for perjury
        • Resulting Imclone lawsuit: found social ties: were on same board, kids went to same kindergarten, etc. Despite trying to make ties to Oracle case, Delaware court found that directors were still independent
      • Risk: "you don't want board full of your softball friends"
  • Good faith requirement
    • "Failure of oversight" the Caremark decision, director inaction cases: involved HCA, Medicade referring fees to related parties, HHS, etc.  Caremark tried to comply, had big fines,
    • world of compliance makes "our job isn't to find wrongdoing" just doesn't cut it anymore. It's not enough to say "you didn't know about it." -- it's part of the Good Faith obligation to bring about compliance
    • Requires a "sustained or systematic failure to exercise reasonable oversight"
    • What red flags were coming to the board that should have brought more scrutiny?
    • Confirmed as duty of loyalty issue in Stone v. Ritter (AmSouth)
    • Quote: "intentionally fails to act in the face of a known duty to act, demonstrating a conscious disregard for his duties"
  • Duty of care
    • requires that boards make informed decisions
    • usually characterized by failure to obtain adequate information, failure to give thorough consideration to a decision
  • Duty of care is very much a question of the adequacy of the process
    • how many board meetings
    • how thorough committee reports
    • how detailed are management reports
    • existence of outside counsel
    • use of consultants/experts
    • Discussion
      • M&A: was an investment banker used to set fair price?
      • "record is as important as decision itself"
  • Directors may rely in good faith on information prepared by officers, employees, committees, experts
    • Question: "if director abstains or votes against, can be they be absolved of liability?" "Likely"
    • Question: "can board be liable for appointment of trustee, for say, employees 401K plans". "you don't want senior management on these committees, because of ARISA. Especially because retirement funds are in company stock. Every major decline in stock price leads to lawsuits, supported by ARISA." "Board can't delegate away fiduciary duties."
    • Example
      • Smith v. Van Gorkom: directors held liable for breaching duty of care, because board considered proposal for only two hours ("because it was such a great deal", "stock hasn't traded at proposed acquisition price for years.")
        • Saturday board meeting, board piling over each other trying to sign purchase agreement
        • Agreement negotiated by the president
        • Board relied solely on a presentation by the president
        • $80M of liability, some carried personally by the board (!!)
      • Disney case: directors were considered negligent, but not grossly negligent: about Ovitz compensation: more on this later
        • No meeting minutes
        • TODO: pull prior meeting minutes
  • Business judgement rule
    • Presumption is that informed, independent and disinterested directors acted in best interests of company and shareholders
    • "it used to be a race to the courthouse whenever the stock price dives. whoever got there first got to lead the plaintiff's case."  Courts got tired of this, now different statutes.
  • Burden of proof is to challenge duty of care/loyalty/conflict of interest/etc.
    • Courts will then go director by director to see who's liable
  • Impeding stockholder volting
    • Examples: Blasius, Liquid Audio, In Re The MONY Group, Inter-Tel
      • Blasius: board felt certain transaction left company vulnerable. acquiring firm suggested elected 8 new board members; board saying "this is a terrible transaction."; board elected 2 new officers to fend off takeover. 
        • Court backed this up: "fundamental to legitimacy of board power".  Business judgement rule trumped by shareholders right to elect board
  • Failure of board oversight cases
    • Example: Citigroup 
      • Despite $100M+ losses, shareholder launched derivative suit for failure to properly oversee the risks associated with sub-prime lending
      • Court stated said decisions were "wrong", but directors properly evaluated risk and made "right" business decision.
      • Court distinguished vs. Caremark case:
      • "This is the right decision, not imposing liability for bad risk judgements. This is good for board members"
    • Example: back to the Disney/Ovitz case and compensation
      • Eisner designated Ovitz as successor, put together contract. Ovitz is terminated, and severage package valued about $140M range
      • Shareholder launches case
      • Shareholder requests board notes on contract creation, termination: no records are found, only a few sentences in board minutes that resulted $140M package. Despite "small amount that didn't jeopardize Disney viability", courts found directors were derelict in duties and "bad faith"
      • They did find that board made informed decision: "record keeping as important as the decision -- the process was sloppy, but record-keeping was far worse"
      • Court called out that "board were sycophants to Eisner"
      • Reputational risk: 5 years of Wall Street Journal coverage
      • Question: "how do you decide what information goes into the meeting minutes?" "Committees are now so much more careful in compensation, tally sheets, documenting what was promised, etc."
    • Emerging Communications: about share price and fraud
      • One board member was defrauding shareholders; one was a lawyer who was getting fees; one investment banker liable because he should have known price was wrong ("unique position to know" due to "his expertise")
  • Corporate takeovers
    • Board can choose to take 100 year outlook or short-term outlook. Price of acquiring offer can't cause liability, no matter how attractive, if board can reasonably justify it.  "We just said no" is a fine response.
      • Unless of course, CEO is saying monthly, "our best years are behind us, our competitors are eating our lunch..."  (haha)
      • Question: "how about SEC 13-D?" (didn't understand answer)
  • Defending against corporate takeovers
    • can trigger "modified" business judgment rule
    • According to Delaware Supreme Court: "board of directors is the defender of the metaphorical medieval corporate bastion and protector of shareholder value" -- when sees threats, has broad authority to respond and take combined defensive precautions.
  • D&O insruance
    • How much is enough? Look at market cap, trends in settlement and trial results and peer limits
    • Expenses are included in the coverage amount, subject to retentions
    • "Insurance business is one of the worst businesses I've seen."
    • "Would never suggest less insurance." "Unfortunately, lawsuit settlements track amount of insurance carried."
    • $10M market cap, $5M coverage, 50% loss coverage: lawyer expenses could top $5M in course of even straightforward litigation ("a couple million won't cover your legal fees.")
  • D&O Insurance
    • Side C coverage: entity coverage
    • Side B coverage: coverage for directors, company indemnifies
    • Side A coverage: need this if company is not around
  • Curent issues
    • Severability: insurance can't pay if there is wrongdoing. What happens if CFO defrauded, what happens to other directors? will they be denied coverage?
      • Was very applicable during tech bust: because of fraud involved
      • More insiders on the board would eat up Side A coverage
    • So, now there's Independent director liability (IDL) to mitigate this risk
  • Policy rescission
    • When company restates financials, say company losing money for three years, instead of making money as stated: underwriter may rescind policy; "I wouldn't have provided insurance"
  • Deliberate fraud exclusion
  • Indemnification: "insurance is basically accepting premiums and denying claims" (haha)
    • "because these cases never get to trial, insurance is to cover legal expenses"
  • U.S. sentencing guidelines
    • Initially adopted in 1991, substantially revised and expanded in 2004 in Section 905 of SOX
      • Arthur Andersen: 95K put out of work, because of a "few bad apples."
      • "They've really backed off since those days"
      • Example: when someone went after KPMG partners for wrongdoing.
    • This may be reversed given recent economic catastrophes
    • Reduced criminal penalties if there is an effective ethics and compliance program
    • Board shall establish standards and procedures to prevent and detect criminal conduct
    • Governing authority must know about the content and operation of the compliance/ethics program, involving senior officers, given adequate resources (budget, etc.), report back to board
    • Mechanisms to allow for anonymity and confidentially submit reports of wrongdoing ("whistleblower program")



 

 

 

Tuesday
Jun082010

Talk: NACD Director Professionalism: Board Excellence: Trends, Responsibilities and Strategy

Director Professionalism
National Association Of Corporate Directors
Philadelphia, PA
June 8-9, 2010

I'm here for two days taking a course called Director Professionalism. It's fascinating hearing how the era of regulatory compliance is affecting corporate directors.  Great curriculum here. I'll post some thoughts and analysis later.

But for now, I'll be posting just the raw talk notes.

Course description at https://secure.nacdonline.org/source/meetings/meetingshome.cfm?sID=DP

Attendees: about 75

"The only time you see so many bankers and lawyers besides during an IPO process is during bankruptcy proceedings.  Both create feeding frenzies." (Cathy Staples) 
TODO: add this quote to The Goal

  • Class choices during workshops
    • Audit issues: Comcast board, breakfast opportunity 
    • Private company breakfast:
    • Advanced finance
    • Intermediate finance: goal is to ask good questions to keep board and management accountable
  • Demographics
    • Top roles
      • Outside direcor
      • C-level exec
      • Board chair
      • CEO
    • 56% public, 47% private, 16% family-owned, 51% non-profit
    • How long?  (37% prepping for first, 19% 0-3 years, 29% 4-10 years, 15% >10% years)
    • What committees? (52% audit, 52% compensation, 48% nominating/governance, 24% finance, 33% strategic planning)
  • Board Excellence: Trends, Responsibilities, and Strategy
    Robert Galford, Director and Chair Compensation Committee, Forrester Research; Managing Partner, Center for Leading Organizations

Board Excellence: Trends, Responsibilities, and Strategy

Robert Galford, Director and Chair Compensation Committee, Forrester Research; Managing Partner, Center for Leading Organizations 

  • Agenda
    • Current environment
    • NACD Leading the Way
    • Board Leadership and Structure
    • Focusing on Strategy
  • The current environment
    • Q: what do boards do now?  (group table exercise)
      • compensation issues
      • performance metrics
      • ERM to head off companies imploding overnight
        • governance systems
        • succession planning
      • new regulatory need for proxy statements
        • you can tell from language in proxy statements stating "why are they on the board" who is going to be replaced
      • regulatory and compliance issues
        • for companies operating in many countries, "breaking someone one's rules somewhere"
        • justification of CEO and chairman separation (or not)
        • named lead director
      • scenario planing
      • board self-evaluation
      • shareholder activism issues inhibit long-term planning (e.g., say on pay, proxy statements, etc.)
        • average shareholder tenure is only 7 months?  (i.e., how much do they really care about long-term planning?)
      • leadership
      • board composition ("makeup of the board")
      • transparency
    • Boards can be reactive or proactive
    • The time is right for boards to show leadership
    • Enterprise Risk Management
      • 13K followers of BP on Twitter
      • Rogue parady group called @BPGlobalPR has 130K followers, all created in three weeks (TODO: Twitter and @BPGlobalPR makes NACD!)
  • NACD Board Priorities
    • Adapt to a changing environment
      • proxy access
      • say-on-pay (shareholders have right to speak on board pay policies)
      • majority voting (who votes, who is around to vote, and how many votes needed to get affirmative carry?)
      • Future SEC regulations?
        • Inside the sausage factory: "there's a reason why you should eat sweet Italian sausage, not spicy Italian sausage."
    • Demonstrate leadership
      • Considered leaders in governance structures
        • Microsoft: had say-on-pay before required
        • HealthSouth: despite tarnish tarnish, now proxy policies on reimbursements
        • Prudential Financial
        • Coca-Cola: risk assessment/management
      • Avoid "being the perfect lawyer", allowing creativeness vs. "you can't do that"
    • Build your board
      • Are the people with the right wisdom and expertise on the board?
      • Nom/Gov committee should ensure board has appropriate skills to match company's strategy
      • Discuss resources necessary for long-term growth
      • SEC proxy disclosure enhancements on board composition
      • 10-Ks will be read: "amazing how many underpaid college undergrads will find who are employed in DC.  do not underestimate. they will be read, and maybe used to create a damaging narrative"
    • Understand risk governance
      • Are the expected risks commensurate with expected rewards? (aka book: Taleb's Black Swan)
      • Determine the appropriate risk appetite
      • Is risk management system appropriate given the company's business model and strategy?
      • TODO: NACD Blue Ribbon report on Risk/Governance report
    • Pay for performance
      • Effective executive pay packages begin with
        • Pay philosophy
        • Clearly articulated performance criteria
      • Transparency is key to shareowner approval
    • Discussion
      • Problem: many peopled expressed that they were dinged by Risk Metrics for irrational reason: "forces us to do wrong thing for the right reason"
      • Problem: lots of time spent on CEO succession: very difficult to have transparent discussion on this topic
      • Problem: Expert who attends 150 board meetings/year: Board often thirsting for more visibility into strategy
    • Poll: what is most challenging priority
      • 47%: Adapt to changing environment
      • 16%: Demonstrating leadership
      • 4%: Building your board (<-- surprising because of Lake Woebegone effect)
      • 20%: Understanding risk governance
      • 13%: Pay for performance
  • Key Agreed Principles
    • Describe areas of current consensus
    • Recognize areas where consensus is not yet developed
    • Support flexibility and continued development
    • Reject "box ticking"
  • Key principles
    • composition
    • transparency
    • competency/commitment
    • accountability/objectivity
    • independent board leadership
    • integrity, ethics, responsibility
    • information, agenda, strategy (<--- strategy)
    • protection against entrenchment
    • shareholder input in director selection
    • shareholder communication
  • Principle 1: board responsibility for governance
    • "ensure that mission and systems are established so that the company's activities are conducted in ethical and legal manner"
    • select, evaluate, compensate the CEO and other managers
    • help shape company's strategic plans: identify competitive advantages and oversee risk
      • This is management's job, but board has role: "We don't have to answer the questions, just have to ask the right questions"
    • Review, approve and monitor management's business plans and performance against financial goals
    • Review and approve material transactions not in the ordinary course of business
    • Provide informal advice to top management outside of board meetings
    • Monitor critical alignments: of strategy, risk, controls, compliance, incentives and people
  • Poll: top areas where board should be focused
    • 45%: "help shape the company strategic plans:" (Peter Drucker: what is our business and what should it be?)
    • 35%: Monitoring critical alignments of strategy risk, controls, compliance, incentives and people
    • Discussion
      • What are good metrics to report on their performance when board isn't competent to comprehend 
        • Cost of sales and marketing, cash flow, return on investment, EBITA, shareholder price
      • Discipline around board calendar: safe, process, discipline
      • How to balance board aggressiveness: causes some distress: if board doesn't help set strategy, are we abdicating responsibility
  • Focus on strategy, NACD Public Company Governance Survey (October 2009)
    • Strategic planning
    • Corporate performance
    • Financial oversight
    • CEO evaluation
    • CEO Succession
    • Billboard charts:
      • "Risk was #9, up from #14. Certain to be in top 5 this year."
  • What is strategy?  It's the allocation of risks and resources such that entity achieves as sustainable competitive advantage as possible
  • Who is responsible?
    • Strategy development
      • Board role, CEO role/board role
    • Example: Progressive UK: aquisition failed: some demanding that board chairman and CEO resign.
  • Poll: where are you getting information?
    • 35%: I get 100% of info from company
    • 56%: I get 75% of info from company
    • 9%: I get 50% of info from company
    • 0%: I get 25% of info from company
    • TODO: "everyone should have Google search of their company.  Technology makes this a board requirement."
      • Look at Facebook to find "what is it like to work at company X?"
      • Look at Monster.com job ads
  • Poll: whre are you getting outside info
    • 57%: access non-company issue reports
    • 68%: talk freq w/non-exec staff
    • 24%: attend numerous company events
    • 11%: Interface, interact, or use company products or services on a regular basis 
      • TODO: like TV show "Undercover Boss": have CEO go undercover, pickup trash, serve Slurpees: make plea for undercover directors
  • Strategy Organization
    • Nominating/Governance, Audit, Compensation

 

 

 

TODO: guy on board of ICANN is here (global domain name serving)

Monday
May312010

Upset about the subjectivity and ambiguity in the PCI DSS compliance standards? My #BSides submission on the answer...

(First a disclaimer: Although I am part of the leadership team of the PCI Scoping Special Interest Group, everything in this article are only my opinions, not anyone else’s, or an official position of the PCI Security Standards Council.)

Don’t get me wrong.  I think the mission behind the Payment Card Industry Data Security Standard (PCI DSS) is critical one: ““improve the security of global payment systems by protecting consumers, merchants and banks from credit information theft and loss and subsequent fraudulent activity.”

Given the fact that millions of cardholder records continue to be stolen show that there is a need for significantly increased discipline and rigor around the necessary controls required to protect cardholder data.

pci shock and dismay.jpg

But as organizations mobilize to comply with the PCI Data Security Standard, they're finding that it’s a huge project.  Like really huge.  Many organizations are finding that complying with PCI DSS will require more project hours than the organization has!  Even if the only project they had to complete was "comply with PCI," even then, wouldn’t be able to complete it in one year!!

Even for organizations that don't have over ten-thousand project hours dedicated to PCI, PCI compliance is still sucking up all the air in the room, starving a gazillion important projects of necessary resources.

One of the most frustrating aspects of PCI, though, is the standoff between the organizations who have to comply with the PCI DSS, and the Qualified Security Assessors (QSAs) that audit them for compliance.

The interaction may sound like this:

  • Organization: “We have isolated our sales order entry systems as best as we can, and believe we are still effectively protecting cardholder data. Due to an architectural decision, we can’t partition off these systems from the rest of the business processes.”
  • QSA: “I understand. But, we’re still liable for our role. So, your entire 20,000 systems will be in the scope of the PCI assessment.”

Maybe it's not 20,000 systems that are being argued about.  Maybe it's the CEOs laptop, even though the CEO isn’t entering customer orders or able to retrieve cardholder records.

I think this is an important topic.  So, here's the topic that I’ll be submitting for this year’s Las Vegas #BSides conference.

"Properly Mobilizing the PCI Resistance: Lessons Learned From Fighting Prior Wars (SOX-404)"

I have noticed that there is a growing wave of discontent and disenchantment from information security and compliance practitioners around the PCI DSS.  Josh Corman has been an effective voice for these concerns, providing an intellectually honest and earnest analysis in his talk “Is PCI The No Child Left Behind Act For Infosec?”

The problem are well-known and significant: too much ambiguity in the PCI DSS, Qualified Security Assessors (QSAs) and consultant using subjective interpretations, existing guidance either too prescriptive or too vague, scope missing critical systems that could risk cardholder data, overly broad scope and excessive testing costs, excessive subjectivity and inconsistency, poor use of scarce resources, no meaningful reduction in risk of data breaches, and so forth.

For years, I have been studying the PCI DSS compliance problem, as well.  I have noticed many similarities to the PCI compliance challenges and the “SOX-404 Is The Biggest IT Time Waster” wars in 2005.  I was part of the leadership team at the Institute of Internal Auditors (IIA) where we did something about the it. We identified inability to accurately scope the IT portions of SOX-404 as the root cause of the billions of dollars of wasted time and effort, while not reducing the risk of financial misstatements.

I propose to present the two-year success story of the IIA GAIT project and how we changed the state of the IT audit practice in support of SOX-404 financial reporting audits.  We defined the four GAIT Principles, which could be used to correctly scope the IT portions of SOX-404.  We mobilized over 100K internal auditors, the SEC and PCAOB regulatory and enforcement bodies, as well as the external auditors from the 8 big CPA firms (e.g, Big Four and other firms doing SOX advisory work).  In short, we made a difference, in a highly political process that involved many constituencies.

I am attempting to do something similar with the PCI Security Standards Council, through my work as part one of the leaders of the PCI Scoping SIG (Special Interest Group).  My personal goal is to find a “third way” to better enable correct scoping of the PCI Cardholder Data Environment, and create a risk-based approach of substantiating the effective controls to ensure that cardholder data breaches can be prevented, and quickly detected and corrected when they do occur.

My desired outcome is to find fellow travelers who also see the pile of dead bodies in PCI compliance efforts, and work with those practitioners to catalyze a similar movement to achieve the spirit and intent of PCI DSS.

There is a better way...

I’ll be writing a lot more on this.  Here are some topics I’m hoping to cover in the next couple of weeks:

On GAIT and SOX-404:

  • a history of the GAIT for SOX-404 project
  • examples and analysis of inappropriate SOX-404 scoping
  • the method behind the madness: why did GAIT work?

On it's application to PCI:

  • what principles can be ported over to PCI DSS?
  • conversation with Josh Corman on "inside baseball talk: how does the PCI SSC and the SIGs work?"

And some very exciting news on how the PCI Scoping SIG is doing:

  • the thought process behind the solution
  • desired outcomes and guidance
  • a report on our progress and work in process on solving this problem

And most importantly, what can you do to help?

Of course, the last point is likely the most important one.  There are things you can do to help the movement.  Interested in learning more, or is this a hysterical person on a lonely crusade against an imagined problem?

Thanks, and looking forward to your comments!

 

Tuesday
May252010

A note on my conference talk notes, and my ideal experience

I want to acknowledge my long-time buddy, William Hertling (@hertling) amazing conference talk notes that he posts on his blog at http://www.williamhertling.com.  An example of his fantastic notes is here (it's Alexa's talk, which I also took notes on -- his are probably better than mine.)

In fact, William's notes from #SxSW were so good, they got picked up by Lifehacker!

When I listen to conference talks, my instinct is either to:

  1. take notes in my lab notebooks
  2. Send one-liner notes to Twitter
  3. Take notes in my computer
  4. Listen and let William take notes for me (har har)

Wm taking notes.jpg

I'm tending to do (1) less and less, because retrieving the notes is tedious: I often can't access my notes when I need them.  I find (2) to be entertaining, but distracting.  (3) is my ideal, but if there's other notetakers, I like to do (4).

Why?  Taking good notes is all-consuming.  Here's a picture of William at one of the talks, taking notes, Googling the "uncanny valley" picture that the speaker is talking about so he can paste it in his notes, etc.

Then when the talk completes, he'll quickly upload it to his blog.

I've been so inspired by him, I'm posting all my conference talk notes into my blog as well.

But in my ideal, I'd love to find some combination of (2) and (3), where I can combine the collective Twitter streams in a talk with my notes.

Anyone know of any utility that can assemble tweets from a hashtag, merge them in timeline order, but separating out each person, so an editor can stitch them together?