Heartland CEO gets a smackdown after his CSO interview

If you are reading this, you probably know about Heartland Payment Systems and the credit card system breach they suffered in late '08 - early '09.  There a lot of details to be found, so I won't rehash it all.  So let's just focus on one point: Heartland had been declared PCI compliant before the breach.  And that is the focus of Robert Carr, Heartland CEO, in his interview with Bill Brenner at CSO Magazine.  He places the blame for his breach squarely on PCI DSS and the QSAs (Qualified Security Assessor) that audited Heartland's PCI compliance.  And that is why Rich Mogull got out the can opener and proceeded to open a big can of whoop-a$$

Honestly, Rich has already done a better job than I could do on explaining why Mr. Carr's statements were misguided at best.  So I will just point out a few quotes and leave you to read the interview and the post. 

From Rich:

As the CEO of a large public company you clearly understand the role of audits, assessments, and auditors. You are also fundamentally familiar with the concepts of enterprise risk management and your fiduciary responsibility as an officer of your company. Your attempts to shift responsibility to your QSA are the accounting equivalent of blaming your external auditor for failing to prevent the hijacking of an armored car.

This, folks, is the best quote in Rich's whole post, IMHO.  This clearly points out why Mr. Carr is so wrong in his interview.  This shows why I fully expect Mr. Carr to run for political office in the near future.  He is very good at shifting blame when he knows (or at least should have known) that he is at fault.  Mr. Carr had a security team.  Mr. Carr, you and your security team are responsible for this breach, not the QSAs.  They are the guards on the armored car, not the QSAs.

Another quote from Mr. Mogull:

I agree completely that this is a problem with PCI. But what concerns me more is that the CEO of a public company would rely completely on an annual external assessment to define the whole security posture of his organization. Especially since there has long been ample public evidence that compliance is not the equivalent of security. Again, if your security team failed to make you aware of this distinction, I'm sorry.

Did you catch that?  It can't be said enough: "there has long been ample public evidence that compliance is not the equivalent of security."    Of course, Mr. Carr acts like this is a revelation of some kind when he says this:

...we certainly didn't understand the limitations of PCI and the entire assessment process. PCI compliance doesn't mean secure. We and others were declared PCI compliant shortly before the intrusions.

Seriously, Mr. Carr?  Was that news to you??  I'm sorry, but I don't buy it.  If a CEO thinks that getting a good Report on Compliance (ROC) by a QSA means his or her organization is secure, then that CEO deserves scorn and ridicule and to be shown the door.  Of course, Mr. Carr is still there, and that is up to the board to decide.

And like Rich said, there is a problem with PCI.  Heck, there is a problem with most compliance programs.  And that problem is with auditing.  The whole auditing process is faulty.  I have been involved in many audits, and so very often the auditor has a check box mentality because the company contracted to perform the audit wants as many audits performed as possible because that equals revenue.  Also, very often the auditor is not sufficiently knowledgable in the process he or she is trying to audit (don't take that as a blanket statement that all auditors fit this mold - it is just an observation made from a lot of experience).  But in no way can the auditor be blamed when a breach happens if you have a security team.  Read these quotes from Rich to see what I mean:

Unless your QSAs were also responsible for your operational security, the only ones responsible for your breach are the criminals, and Heartland itself.

PCI compliance means you are compliant at a point in time, not secure for an indefinite future.

Also, standards like PCI merely represent a baseline of controls, and as the senior risk manager for Heartland it is your responsibility to understand when these baselines are not sufficient for your specific situation.

In Rich's defense, he really was extremely calm and thoughtful in his response.  He didn't get caustic in any way.  But as we all know, a well-reasoned argument often cuts deeper than a mouthful of hateful words.  So break out the EMT kit, Rich.  Mr. Carr needs a few wounds cleaned and dressed.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon