What is this QSA review all about? I have been in the IT industry for about 14 years now and out of which last 7 years I have been with enterprises (through system integrators) working with them in different capacities to make their business secure and responsive. Of late, I have been observing this anxiety with customer companies on how to pass the dreaded QSA audits? especially people who are in banking industry and concerned with PCI compliance. Please do not get me wrong; it is critical for enterprises to be responsible in the best known ways to be compliant to these standards and it is hugely important for the success of enterprises and their customers. Yet, in my opinion, enterprises should not be unduly worried and internally sarcastic about whole of this compliance business. This state of mind of enterprises actually makes them find ways to satisfy QSA rather than serious about doing right things. This state mind is punctured further by the way internal security departments behave. The aim of any security department is to help businesses achieve compliance and make it easy for solution architects by working with them from the conception phase rather than intimidating everybody around by creating some sense of obscurity about the way QSAs work. I am in the opinion that even though QSAs have unlimited liability their very existence is based on the new solutions and new business models that enterprises bring in. Statements like "once QSA puts in an opinion it will not change come what may" does not help anybody. As a security architect for years, I know for sure there is nothing like a single secure solution for a particular problem. There are multiple and each one has to be evaluated in an unbiased way and given the business constraints presented to QSA, the optimum one has to be advised. Please do not get me wrong, in no way I am suggesting that one has to compromise on the security level of the solution.
On the other side of the fence, solution architects and business owners should think deep inside the way they have been behaving by paying lip service to overall security of a business solution and hence, in one way, created this whole polarization in the mind of security professionals. Also in my view, the cause of the stubbornness shown by QSAs, partly, is due to this artificial behavior of businesses.
