Posts by: Julia Wailes-Fairbairn

Free live webinar: 5 signs you need a new QSA

Thursday 22nd November 3pm – 3.45pm (GMT)

In this free live webinar Paul Brennecker and Laura Chatton will be discussing the QSA role.

  • What does ‘good’ look like? 
  • Why is PCI compliance so important? 
  • What stops an organisation from seeking a change in QSA? 
  • Why is there such a market appetite for this service in the current climate?
  • Followed by a Q&A forum

Attaining PCI compliance is just one of the many ways in which organisations are being proactive in today’s threat landscape. Is your current QSA the ideal fit for helping you achieve your goals; not just in PCI compliance projects, but in your wider information security strategy?

5 signs you need a new QSA

PCI DSS compliance is no longer an annual project. New requirements this year are ensuring that businesses are monitoring their compliance on a continuous basis. So, is your QSA an expert that you can turn to throughout the year to ensure your organisation is doing all it can to comply with the regulations? Or might it be time to consider your options?

Ask yourself: how many of the following sound familiar?

1. No presence on site

If you can’t remember the last time you saw your QSA on-site, or they have only contacted you via telephone or email, this will need addressing post haste. A QSA should take pride in understanding your business and this requires some on-site effort.

2. A lack of listening skills

Consultancy should be based around communication and should always have that ‘human’ element. If your QSA seems to be singing from their own hymn sheet and appears to have tunnel vision, this is a red flag. A collaborative approach shows understanding and is usually found in QSAs that have ‘real world’ knowledge of PCI DSS.

3. The output isn’t aligning with time quoted

Unless you are satisfied that the assessment process is backed by a tried and tested methodology, this unfortunate (but frequent) issue may raise its ugly head. A QSA with a solid history and a broad depth of experience across more than one industry should be more than happy to be open about the shape of a typical assessment and the associated timelines. Should anything change mid-assessment, their reasons for this should be communicated to you clearly and any additional work should not commence without proper sign off by the client.

4. No remediation advice

Whilst there is an understanding that the responsibility for all post-project remediation work belongs to the client, the role of the QSA is to ensure that the client never hits a roadblock. If your QSA isn’t bought into your business goals and is dismissive of giving any form of guidance, it’s worth looking at the marketplace.

5. Future Proofing

QSAs should be well informed and keep their skills and knowledge up to date. The payment landscape is changing, and the PCI DSS is evolving over time to keep pace. There may be changes in the industry that, whilst they don’t affect compliance now, may have a bearing on your projects in the future. Is your QSA highlighting these issues for you up front and helping your Information Security program to remain agile?

If any or all of these points ring true, the SRM team can offer an exploratory conversation with no obligation. We have an upcoming webinar where our principal QSA, Paul Brennecker, talks us through his real-world PCI experience. Register at

Why is a Business Continuity Plan important?

Why is a Business Continuity Plan important? It’s simple: because a business’ ability to recover from a cyber breach hinges on its ability to react quickly. Since the enactment of GDPR earlier this year, it is now a statutory requirement that a breach is reported within 72 hours of its discovery. But this is not the only thing to consider. As soon as a breach is identified, certain steps need to be taken to contain and mitigate the extent of the breach to safeguard the future of the business. This process will run much more smoothly if all aspects of the strategy are well known to those responsible and have been pre-planned and pre-agreed.

The impact of a breach is often significantly wider than people first think. It is not necessarily just about money or data being stolen, or the fines imposed by the Information Commissioner’s Office (ICO) as a result, but about the longer-term impact. Loss of trust and reputation can be equally, if not more, damaging over the following months and years.

So, with the threat of a successful (and costly) cyberattack being very real, what can be done? Well, firstly, and perhaps counter-intuitively, the most important thing is to accept the risk and plan for a worst-case scenario. Every robust defence should therefore include a Business Continuity Plan (BCP) which includes Incident Response (IR) and Disaster Recovery (DR) plans. These plans should be continually challenged and reviewed, and correctly-scoped simulation exercises will ensure that all key personnel are experienced in the steps that need to be taken.

However, this is just one piece of the business continuity puzzle. Evaluating your company’s ability to restore IT operations can be a good starting point for company-wide Business Continuity Plan. In fact, many business continuity planning efforts start by conducting a business impact analysis or risk assessment. These studies can reveal weaknesses in your organisation’s ability to continue operations that go far beyond IT. Good business continuity and disaster recovery planning should look at the business as a whole, with a goal to develop business resilience.

Of course, for most businesses in 2018, having a robust cyber defence is the first step and every precaution should be taken to ensure that potential hackers and cyber criminals are kept at bay. It seems reasonable to assume that the harder we make it, the less likely a hacker is to focus their attention on us. They will look to easier targets. But the sad truth about today’s digital environment is that breaches can and do occur, even to the best-defended organisations. After all, it can only take one employee to mistakenly open a phishing email to provide a potential hacker with a route in to an otherwise well-protected system.

Why is a Business Continuity plan important? Because speed is of the essence. The more quickly a breach can be identified and contained the less damage it will cause.

To discuss Business Continuity planning, contact the SRM team on 03450 21 21 51

To receive regular blogs on topics relating to information security, follow us on Linkedin.

To find out more visit our website.

Or read more:

Cyber insurance may be null and void without ‘due care’

Cyber resilience: it’s a board level issue

The key to GDPR is common sense


Pen testing: why businesses need to be proactive not reactive ahead of the peak retail period

A breach at any time of the year is bad for business. But with the highest volume of sales – both retail and online – occurring between Black Friday and the January Sales, a customer data breach during this period could be catastrophic. With just a few weeks to go, it is time to be proactive, not reactive.  Seeking external professional services at this stage could ultimately save immense damage to your business, your bottom line and your reputation.

First, some context. According to research (Carbon Black 2018), when it comes to cybercrime the most proactive investors are actually the cyber criminals themselves. It is estimated that they are now spending ten times more on finding cyber defence weaknesses in target organisations than the organisations themselves are spending on protecting against attack. Although the figures are global, with an estimated $1 trillion being spent by the cybercrime community compared to $96 billion by organisations to secure themselves, the UK has been identified as a major target.

Malicious attacks are therefore a very real threat, whether dealing with card transactions through a bricks-and-mortar shop or an online business. Unfortunately compliance does not guarantee security of your network systems. Like an MOT it only demonstrates that at a certain date and time your business had met the PCI DSS compliance standard. Similarly, businesses which have taken positive steps towards adhering to the requirements of GDPR will still need to take a proactive approach to defending against cybercrime.

So, what can be done? The most important investment at this stage is in professional penetration testing. This is the key to knowing exactly where potential vulnerabilities may lie. A bespoke combination of both manual and automated testing is an extremely efficient way to identify weaknesses and can be carried out with minimal disruption. If serious gaps are identified then further testing will exploit and develop these as a potential hacker would, providing you with valuable intelligence. You will then be in a position to work with experts to take whatever remedial action is required in good time. If actual (as yet undetected) breaches have already occurred, these can be reported on and contained before significant damage occurs.

While prudent investment in cyber security is vital, there is, however, no need to throw money at the problem. Engaging a professional consultancy with the full range of services will save you any unnecessary expense. This is because the exercise will be scoped to ensure you pay for what you need, not what you don’t. A professional team will also have the expertise to manage the whole process in a proactive way to ensure you are ready for business at the end of November.

Although every precaution should be taken to protect your systems, test and exercise is not the only important element of a mature and robust cyber defence.  Business Continuity Planning, Incident Response and Disaster Recovery Plans should also be in place and watertight. An expert consultancy will be able to help develop these so that business interruption in the event of a breach is kept to an absolute minimum. Additionally, SRM can provide Red Teaming and Incident Simulation activities to give you ultimate peace of mind

To discuss the full availability of our Test and Exercise and Incident Response services, call +44 (0) 3450 21 21 51.

To receive regular blogs on topics relating to information security, follow us on Linkedin.

Or visit our blog:

Pen testing: seeing both the wood and the trees

Penetration testing: man vs machine



Why get ISO27001 certification?

We are sometimes asked the question, why get ISO27001 certification? The answer is that the ISO standard, and ISO 27001 compliance in particular, demonstrates that your organisation takes information security seriously. This ultimately enhances your reputation and delivers greater business opportunities because ISO27001 lowers the risk for other people of doing business with you.

Certification means a third party accredited independent auditor has performed an assessment of all processes and controls and confirms that operations are in alignment with the comprehensive ISO27001 certification standard. If a company is implementing ISO27001, it demonstrates that careful consideration has been given to what could endanger confidentiality, integrity and the availability of information. Once those risks are known, it is about ensuring that security measures have been implemented in order to decrease them to an acceptable level.

Another benefit of this certification is that, unlike GDPR, which does not have an actual compliance process, ISO27001 provides very clear direction. In this way it can be a useful starting point for ongoing adherence to GDPR. ISO27001 concentrates on policies and processes, including all legal, physical and technical controls involved in an organisation’s information risk management processes. Its value is that it creates a robust environment to protect both staff and customer information assets. But of equal value is the fact that it also provides evidence to potential customers and partner organisations that your company prioritises the security of the information it holds.

Of course, undertaking compliance with ISO27001 can be a rather intimidating prospect.  The ISO standards require risk assessments to be conducted, together with the design and implementation of a comprehensive suite of information security controls. It also requires other forms of risk management to address company and architecture security risks on an ongoing basis. This involves the implementation of any necessary changes to policies and processes (ISO27001) and controls (ISO27002). A cost-effective way to negotiate the rigours of the ISO27001 accreditation process is to seek professional help from specialists with proven track record in achieving the standard.

If you are wondering ‘why get ISO27001 certification?’ you should discuss your requirements with us. The SRM team are experienced in all aspects of ISO27001 accreditation. Starting with a gap analysis which establishes a level of security readiness, we can recommend a prioritised remediation plan based on what gaps there are. We are able to assist with any activities that need to be undertaken and provide guidance all the way up to a pre-audit assessment. Finally, our team can offer on-site audit support if needed, to give you complete peace of mind that your organisation’s ISO 27001 accreditation is achieved and maintained.

To discuss ISO27001 or other certifications, contact the SRM team on 03450 21 21 51.

To receive regular blogs on topics relating to information security, follow us on Linkedin.

To find out more visit our website.

Or read more:

The NIS Directive: who does it apply to and what will it mean?

Cyber resilience: it’s a board level issue

SRM Blog

SRM Blog