Clarifying Quarterly External Scans

Over the years I’ve worked with many clients who seem to have a strong security and compliance program. The client provides many of the key documents required for compliance; documentation for their penetration testing, risk assessments, policies and procedures. Everything seems to be going smoothly but there’s a delay while waiting for their external Approved …

PCI Isn’t Risk-based! (and other PCI myths)

As an infosec practitioner and QSA, I’ve been deeply involved in PCI since its inception. As a former educator (I taught high school social studies for eight years), I believe in the reductionist method for teaching complex subjects. In these articles I will combine my experience to deconstruct many of the problems – typically rooted …