http://blogs.computerworld.com/14539/heartland_ceo_gets_a_smackdown_after_his_cso_interview By Michael R. Farnum Hitting the Security Nerve Computerworld Blogs August 13, 2009 If you are reading this, you probably know about Heartland Payment Systems and the credit card system breach they suffered in late '08 - early '09. There a lot of details to be found, so I won't rehash it all. So let's just focus on one point: Heartland had been declared PCI compliant before the breach. And that is the focus of Robert Carr, Heartland CEO, in his interview with Bill Brenner at CSO Magazine. He places the blame for his breach squarely on PCI DSS and the QSAs (Qualified Security Assessor) that audited Heartland's PCI compliance. And that is why Rich Mogull got out the can opener and proceeded to open a big can of whoop-a$$. Honestly, Rich has already done a better job than I could do on explaining why Mr. Carr's statements were misguided at best. So I will just point out a few quotes and leave you to read the interview and the post. From Rich: As the CEO of a large public company you clearly understand the role of audits, assessments, and auditors. You are also fundamentally familiar with the concepts of enterprise risk management and your fiduciary responsibility as an officer of your company. Your attempts to shift responsibility to your QSA are the accounting equivalent of blaming your external auditor for failing to prevent the hijacking of an armored car. This, folks, is the best quote in Rich's whole post, IMHO. This clearly points out why Mr. Carr is so wrong in his interview. This shows why I fully expect Mr. Carr to run for political office in the near future. He is very good at shifting blame when he knows (or at least should have known) that he is at fault. Mr. Carr had a security team. Mr. Carr, you and your security team are responsible for this breach, not the QSAs. They are the guards on the armored car, not the QSAs. Another quote from Mr. Mogull: I agree completely that this is a problem with PCI. But what concerns me more is that the CEO of a public company would rely completely on an annual external assessment to define the whole security posture of his organization. Especially since there has long been ample public evidence that compliance is not the equivalent of security. Again, if your security team failed to make you aware of this distinction, I'm sorry. Did you catch that? It can't be said enough: "there has long been ample public evidence that compliance is not the equivalent of security." Of course, Mr. Carr acts like this is a revelation of some kind when he says this: [...] ________________________________________ Subscribe to InfoSec News http://www.infosecnews.orgReceived on Sun Aug 16 2009 - 22:16:31 PDT
This archive was generated by hypermail 2.2.0 : Sun Aug 16 2009 - 22:33:33 PDT