The 5x5 cube on the cover depicts the complexity of security program management. Designing a security program can be like trying to solve a mechanical three-dimensional (3D) combination puzzle. Each move affects the rest of the design and overall system. While some people struggle to solve the puzzle’s quintillions of options, others solve it within a few seconds. The difference has to do with their methodology.
Instead of a trial-and-error approach, combination puzzles are most easily solved by using a method. You can expend lots of time spinning the puzzle’s cubes until you line up some semblance of a solution that meets your needs. Or you can use a reliable, logical method to cut time, effort and cost and quickly solve the problem with the best possible results.
Similarly, Payment Card Industry (PCI) security programs require the alignment of multiple elements. This complexity can be vastly reduced with a sound program design—the application of a method to apply the correct sequence of steps—and by understanding the cause-and-effect relationships between moves.
The cube on the cover highlights specific rows and columns (in yellow), representing the need to focus: resolving specific components within the perspective of the larger system. The entire system can be brought into alignment step by step, using a methodical and systemic approach to sequentially align individual layers rather than with random moves and attempts to solve the entire puzzle all at once.
After the 3D combination puzzle is fully solved, it’s shuffled, and the entire process is started all over again—reminding us of ongoing PCI security compliance programs where controls fall out of place and components (people, processes and technology) require ongoing attention. All control environments are subject to entropy, where a security control environment declines into disorder.
During the 20-year history of PCI security compliance, Verizon has highlighted several leading methods and models that significantly simplify the complexity of PCI security program design and management. This report delves into an integrated method that incorporates those models and can significantly shorten the effort and time needed to solve your PCI security compliance management puzzle.