A Trusted Advisor
(originally posted January 30, 2008)
I recently completed a project for a client, that involved notifying the client where they would be vulnerable in a PCI compliance review. My manager wanted me to include a risk analysis that showed where they were most vulnerable. I did so and using EACH PCI compliance requirement (all 196) and created a slide that summarized my findings. I sent him the slides and the accompanying spreadsheet with my risk analysis (wieghted on priority and the status of the requirement within the company).
We presented my findings to a group of lower level executives. When we got to the slide that clearly showed that they were in trouble based on their Network Security status (as expected) the network security folks were less than pleased. My manager quickly denounced my spreadsheet and acted as though it was the first time he had seen it. I explained how I came up with my numbers and the room fell silent as the network folks pondered what they were seeing. Yet their director continued to harp on the slide and my numbers and how I weighted the requirements. My manager then says "these numbers are clearly erroneous"...which angered me to no end. The numbers don't lie. I rated at the highest (3) risk level if they had gaps. I rated them just a step below that (2) if they were planning to address it. Bear in mind that "planning" in this organization means that it's an idea and hasn't even been funded yet. Hell...I can plan to get married, but until I actually meet someone and become engaged...It ain't happening. This (at least to me) is still an area of concern for this large insurance company (that does not even encrypt their credit card data by the way). I was being completely up front and honest with them because (on the advice of another manager) I read a book called "The Trused Advisor"--a great book for consultants and for employees alike--that clearly states that in order to be a truly trusted advisor you must be willing to give good news with the bad. My manager, on the other hand, only wanted to give the "Sunny day, lambs skipping in the sunshine" view of their situation. Nevermind that I felt that he threw me under the bus by pretending that he never saw my spreadsheet before, he is giving these folks a false sense of security.
If this company experienced a breach (or should I say when), there is no way that they will pass a PCI forensic audit...NO WAY! They should know that. They should not be told that they are OKAY when they are clearly not. The network "worker bees" knew that what I presented was the truth and that is why they became silent and let their director fight for them. I didn't say a word because, one I was shocked by my manager's lack of support and two I was equally shocked by the cluelessness of this company's "director of network architecture" (or whatever title they bestowed upon him because he clearly didn't earn it by actually building any type of functional network). Bottom line is...if you are still using technology circa 1994 to transmit sensitive credit card data over a telephone line...you're not compliant...you are a laughing stock.
The next day, this same director, clearly after speaking to his staff, wrote me and my manager and backed off of his stance in the meeting stating that we should "setup work groups to discuss the validation of the requirement statuses"--in other words--"Oh...you were right...we are in trouble", but of course this is after he basically has "undressed" me in front of his team and not suprisingly, they were not copied on this email.
I guess I at least got them thinking, which in retrospect was my intention from the beginning.
Download, Rent, Buy or Borrow a book called "The Trusted Advisor", it is without a doubt the best book on consulting I've ever read. Your client will appreciate you more if you tell them the truth than if you simply blindly perform whatever they instruct you to do regardless of the consequences. Ultimately, it is their reputation on the line. Be respectful, but challenge them if you think there is a better solution. You are working in their best interest, so why not give them everything they need to be successful. It will also reflect well on you.