Scatterbrain Post

February 17, 2009

The last few weeks have been crazy. I am working on a post (as time allows) to provide some thoughts on the Securosis “The Business Justification for Data Security” white paper. In the mean time, below are some thoughts I wanted to share. Off you go…

1. M&A Due Diligence. Back in the late 90s I worked at a lobbying / public relations firm in DC. I worked for a holding company of which there were five or six subsidiaries. When the holding company was purchased in either or 1999 / 2000 – there was very little IT diligence performed in the areas of licensing. Sound like a no-brainer. The same due diligence applies today but is compounded in some cases by regulatory compliance and PCI-DSS compliance. A few things to look at when looking at a merchant and their PCI compliance:

a. Are they compliant?
b. What is their SAQ anniversary date?
c. What level merchant were they at the time of being considered compliant?
d. What level merchant are they now?
e. In cases where merchant level may have changed between SAQs, what is the most recent SAQ date?
f. If they are not compliant, what milestones have they committed to their processor for becoming compliant?
g. If they are not compliant, what is the estimated cost to become compliant?

In cases where a merchant is purchasing another merchant, you need to know the answers to the above questions. You also need to understand how the processors will view your company from a merchant perspective. Understanding some of this could impact integration plans and acquisition costs.

Next…

2. More FAIR Scenarios. Kevin Riggins over at InfoSec Ramblings (and fellow SecTwit) has some FAIR related posts at his website. It is great to see others embracing FAIR as well as discussing it in such an open manner. One of the best ways of learning is teaching. Good luck with the scenarios Ken!

3. Risk Quantification and Modeling. One of my “special” projects that started in late 2008 is being continued in 2009. Quantifying risk in term of dollars is the core of the project. However, the reporting and modeling based off the data is really where the value is at. Luckily, I work for a company (within an industry) that understands risk – really, really well. Hopefully, some day I can share some details of this effort and what the outcomes will be. I am really excited about it!

Finally…

Random “Not Good” Thought. Gym buddies. Over the last several weeks I have noticed some gym buddies in the gym I workout / run in. It is very annoying. These two guys pal around like they are 10 year old best friends. They are inseparable and they are loud. I try to find the good in such a work relationship –  but not at the expense of being a distraction to others. Very annoying.

Random “Good” Thought. I am just really thankful to be employed right now. A few IT professionals I have relationships with have lost their jobs. Some have been in the financial services industry and some in professional consulting. I have neighbors who have lost their jobs as well and some have had to move out of their homes. My Grandmother lived through the great depression and I would submit that our current economic condition is nowhere near the impact felt during the Great Depression – from a human perspective. If you do some research on the Great Depression, you will find that there were some products / companies that really picked up market share during the “Great Depression”. Here is a URL that sheds light on this. In a few years, what will be something that defines this recession from a consumer product standpoint? Regardless, if you are reading this – you have a lot to be thankful for.