By Mike Foster
I had the pleasure of performing an audit at a company recently where the lead IT professional was shocked to learn that his e-commerce system needed to be secure in order to keep credit card information secure as part of PCI-DSS compliance.
This company, like many, had separate networks for e-commerce and for administration. The IT professional had been telling his CEO that the organization was “compliant” based on the security of the office administration network — not the IT systems that actually process, store, and transmit credit card information. He pretended to be shocked that he needed to secure the computers and network that actually handle the credit card data.
As IT professionals, it is important to know what we are talking about when we answer a CEO’s question — especially if a wrong answer could lead to the CEO facing fines, lawsuits, and even the failure of a business. If we don’t know, the proper response is, “I do not know, but I will find out.”
As a C-level executive, business owner, and as a manager, it is important to understand that, unfortunately, some IT professionals will tell you that you are compliant with specific regulations when they really don’t know.
I want to extend my gratitude to the IT professionals who do act responsibly!
Mike Foster, CISA, CISSP, is the founder and CEO of Foster Institute. He is a technology expert, author and professional speaker with more than 1,000 presentations under his belt. Mike is author of The Secure CEO: How to Protect Your Computer Systems, Your Company, and Your Job and is regularly sought for interviews and business publication features. He’s been interviewed by USA Today, Forbes Magazine, and The New York Times, as well as many others.
Originally published: Nov 20, 2011