The CISOs, identified only by their first names so they could address sensitive security issues, agree that PCI compliance will be the biggest driver of security spending over the next year. "The money we spent on remediating for PCI is considerably larger than what we've spent on remediating for Sarbanes-Oxley, " Mark says. The other CISO, Tony, says security is typically less than 1% his company's IT budget, but this year it's doubled because of PCI.
In effect since December 2004 and updated in September, PCI requires firewalls, the encryption of cardholder and other sensitive data sent across public networks, and restrictions on physical access to cardholder data. Merchants not in compliance can't process Visa or MasterCard payments.
It's a "great commonsense approach to how security should be implemented," Tony says. "Unfortunately, a large company like the one that I work for just didn't take it very seriously three years ago," when the standard was being proposed. A lot has changed since then, he says, and PCI is now the main driver behind his company's security initiatives, accelerating its use of data encryption. It's preparing to encrypt all data brought into the company's IT systems "so that everybody can reduce the risk further," he says.
Piling PCI on top of all the other regulations to which companies must comply isn't easy, but there's little choice when CISOs consider what's at stake.
Cigna's Craig Shumard: One Man's Security Mission
PayPal's CISO's Psychological Warfare
Mozilla's Window Snyder: A CISO With A Different Agenda