[ISN] Heartland CEO gets a smackdown after his CSO interview

From: InfoSec News <alerts_at_private> Date: Mon, 17 Aug 2009 00:16:31 -0500 (CDT) · This archive was generated by hypermail 2.2.0 : Sun Aug 16 2009 - 22:33:33 PDT

http://blogs.computerworld.com/14539/heartland_ceo_gets_a_smackdown_after_his_cso_interview

By Michael R. Farnum
Hitting the Security Nerve
Computerworld Blogs
August 13, 2009 

If you are reading this, you probably know about Heartland Payment 
Systems and the credit card system breach they suffered in late '08 - 
early '09.  There a lot of details to be found, so I won't rehash it 
all.  So let's just focus on one point: Heartland had been declared PCI 
compliant before the breach.  And that is the focus of Robert Carr, 
Heartland CEO, in his interview with Bill Brenner at CSO Magazine.  He 
places the blame for his breach squarely on PCI DSS and the QSAs 
(Qualified Security Assessor) that audited Heartland's PCI compliance.  
And that is why Rich Mogull got out the can opener and proceeded to open 
a big can of whoop-a$$.

Honestly, Rich has already done a better job than I could do on 
explaining why Mr. Carr's statements were misguided at best.  So I will 
just point out a few quotes and leave you to read the interview and the 
post.

 From Rich:

    As the CEO of a large public company you clearly understand the role 
    of audits, assessments, and auditors. You are also fundamentally 
    familiar with the concepts of enterprise risk management and your 
    fiduciary responsibility as an officer of your company. Your 
    attempts to shift responsibility to your QSA are the accounting 
    equivalent of blaming your external auditor for failing to prevent 
    the hijacking of an armored car.

This, folks, is the best quote in Rich's whole post, IMHO.  This clearly 
points out why Mr. Carr is so wrong in his interview.  This shows why I 
fully expect Mr. Carr to run for political office in the near future.  
He is very good at shifting blame when he knows (or at least should have 
known) that he is at fault.  Mr. Carr had a security team.  Mr. Carr, 
you and your security team are responsible for this breach, not the 
QSAs.  They are the guards on the armored car, not the QSAs.

Another quote from Mr. Mogull:

    I agree completely that this is a problem with PCI. But what 
    concerns me more is that the CEO of a public company would rely 
    completely on an annual external assessment to define the whole 
    security posture of his organization. Especially since there has 
    long been ample public evidence that compliance is not the 
    equivalent of security. Again, if your security team failed to make 
    you aware of this distinction, I'm sorry.

Did you catch that?  It can't be said enough: "there has long been ample 
public evidence that compliance is not the equivalent of security."  Of 
course, Mr. Carr acts like this is a revelation of some kind when he 
says this:

[...]

________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org