We are all familiar with what it means to be secure – protecting people, organizations, and information against danger or loss. However, more often than not, business owners focus their concerns on compliance with industry and governmental regulations, assuming this will make them secure. They are typically interested in passing audits and assessments; yet assessments, audits, and regulations are not security – they are merely measurements, guidelines and standards that a particular group is concerned with. Only the organization itself knows what the organization does, and how they do it. Therefore being “security centric” means that the organization is interested in its own security – continually identifying the threats and vulnerabilities that could potentially impact the organization. By approaching things from this perspective and implementing security best practices, the organization can become compliant with the regulations and standards they are looking to follow.
As would be expected within business, decisions and processes always hinge on threats and vulnerabilities within the marketplace – always concerned with what their competition is doing and how they can minimize their exposure to their competition. Security breaches like we are seeing today, place entire organizations directly at risk, thus stressing the importance of executive levels of management to be equally concerned with information security as much as they are with market security—it isn’t just an IT function anymore. Security is more than just loading anti-virus software and installing a firewall, true security involves looking at the entire picture and understanding how policies and procedures, new software installations and systems can impact the safety of the data flowing through your organization.
According to the PCI Security Standards Council any organization that processes, stores, or transmits payment card data must comply with the Payment Card Industry Data Security Standard (PCI DSS) or risk losing their ability to process credit cards and avoid non-compliance fines from their acquirer. The rapid increase in use of credit cards in Quick Service Restaurants has been a great opportunity to attract more customers, provide faster service, and increase cash flow. However, maintaining security and managing PCI compliance has proven to be a serious challenge for restaurant operators.
Although at first it may seem daunting and impossible, it is much easier than one may think, but it does take diligent leadership to create a new culture. This starts with a comprehensive Information Security Policy (ISP). An ISP should enable, not disable, the company to do what it does best. An ISP that creates undue hardship to business process results in policy violations, in turn security vulnerabilities that can go unnoticed. Remember:
The business owner/operator needs to own the process of creating an ISP for their organization
Security is about protecting your organization and your customers
Anytime you make decisions about your organization you must think about how it impacts security
If security isn’t a primary concern, you need to rethink the priorities and goals of your organization