Society of Payment Security Professionals - Compliance Demystified

Can you hear the vendors blogging?

This year at RSA the expo floor was full of people pitching their wares. And what were they saying about them? They sold different things but every product pitched compliance. This is because “compliance” is the only thing that sells these days. You saw this attitude two years ago at RSA, but it reached its pinnacle this year.

The question is, where are these vendors now? I can’t hear them anymore. (Read: Long Winded Fodder below for more details.)

So, what vendors who pitch PCI are actually engaging their customers? Here are the ones I found. Please tell me if you know of others.

• LogLogic and their LogBlog (they certainly do love logs)
• Ambersail Infosec Roundup (PCI Qualified Security Assessor)
• StillSecure and Still Secure After All These Years (recently hired Martin McKeay as their Product Evangelist)
• nCircle 360 blog
• Ecora’s CEO, Alex Bakman, launched a change and configuration management blog
• F5’s DevCentral - they have a blog, forum, and wiki!
• SPI Dynamics has a blog portal and online forum - unfortunately AppSecInc has neither
  

I love it when CEOs blog. GoDaddy’s CEO, Bob Parsons, even has his own radio station!

I want Vormetric to make a blog, because when you google for “encryption PCI” you hit the old blog and not theirs. I thought Tripwire had a blog, but I was wrong.

Verisign has a blog and, along with Ambersail, might be the only QSAs or ASVs to have one. (Too bad the Verisign blogs don’t talk about PCI compliance.)

I also didn’t see any blogs out there from security vendors that address PCI for: firewalls, IDS, VPN, anti-virus, or other PCI requirements.

Check Point talks about PCI (and has a PDF) but has no blog. Cisco has a nice PDF and a blog, but never really used it…

Who has been in the news? Michael Farnum writes about the Cisco and CyberTrust partnership on PCI DSS compliance which was echoed by Computer World Australia and again by Martin McKeay at Computer World US. Cisco has a blog, several of them in fact, but none of them responded to the partnership story. Cybertrust does not have a blog and their response was minimized to writing a comment on the original post. Do you call this engaging the community? Responding to consumer questions? This could have been free advertising if Cisco and Cybertrust only had the infrastructure in place to volley back.

Same problem for ScanAlert and ControlScan. Both companies are in the PCI ASV market but neither of them had a blog (or other method of responding) to address the ha.ckers.org issue that started in the Washington Post. The ha.cker.org site outed ScanAlert and ControlScan as not properly addressing cross-site scripting issues. I give many kudos to Aaron Biddar, President of ControlScan, for contacting the ha.ckers.org group and getting his response in their blog (although I don’t know if he wanted to be quoted in quite that way.

Long Winded Fodder

When it comes to ‘engaging your customers’ almost every vendor gets it wrong. Let me paint a picture of how sales+marketing have evolved and where people took a wrong turn. This traditional approach to sales is either through one of the following methods:

• Direct sales
• Channel partners
• Word of mouth

The direct sales approach is well known and the oldest of methods originating with the traveling salesmen knocking on every door (thus created the traveling salesman problem, but that is another story.) The problem with this is that you need to hire well skilled sales persons who (1) travel to your prospective clients, or (2) dial-for-dollars all day long trying to sell products.

Then one day companies began to think, why am I calling clients directly when other people already have a relationship with these people. The vendors created partnerships with other companies that already owned the client relationship and exploited that to sell their products through them as ‘channel partners’. At this point nobody actually believed a product would sell by word of mouth because of the slow nature this approach had.

Companies took a wrong turn when they ignored the creation of the Internet. Many used it for creating a static website but never went beyond this. They made a wrong turn when they ignored the viral nature of Internet consumption.

Think ‘The Long Tail‘ (and the markets you are missing/ignoring).

Think You Tube (and their slogan “Broadcast Yourself”).

Think Corporate Blogging (evangelized by Robert Scoble).

Having a ‘News Room’ or ‘Contact Us’ page is just not good enough. You need a method of bypassing the legal and wordsmithing departments and getting a message out there so the conversation can be had. Scoble has always said that the topic (read: your company) will always be discussed somewhere, so why not make it happen around your water cooler instead of theirs. (Ok, I may be paraphrasing.)

On another note…

The down side of moving your blog is that you loose part of your reader base. When you google for “PCI blog” you still hit my old site. (sigh) I’d just like to thank all the other security bloggers out there, some of which I met at the RSA Security Blogger Meetup.