Will the Real Enemy of Security Please Stand Up?

CSO - A very heated reaction has followed the interview I conducted yesterday with Robert Carr, CEO of Heartland Payment Systems. One reader even said the resulting Q&A made his "blood boil."

Why the outrage? Because Carr did something a lot of people find unacceptable. He threw someone else under the proverbial bus for his company's failure to keep customer credit and debit card numbers out of evil hands. Specifically, he thrust an angry finger at the QSAs who came in to inspect the security controls Heartland had in place to meet the requirements of PCI security.

In the article, [ Heartland CEO on Data Breach: QSAs Let Us Down] Carr said, "The audits done by our QSAs (Qualified Security Assessors) were of no value whatsoever. To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem. The QSAs in our shop didn't even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware. I thought, 'You've got to be kidding me.' That people would know the exact attack vector and not tell major players in the industry is unthinkable to me. I still can't reconcile that."

That one comment brought down the house, and not in a favorable way.

"I just read Bill Brenner's interview with Heartland Payment Systems' CEO Bob Carr and truthfully, my blood is boiling," Mike Rothman, SVP of strategy at eIQnetworks and chief blogger at Security Incite wrote in a counterpoint piece CSOonline ran today. "Basically, he's throwing his QSA under the bus for the massive data breach that happened under his watch. Basically, because the QSA didn't find anything, therefore he should be off the hook. I say that's a load of crap."

Since the Q&A's publication, my Twitter stream has been gushing with likeminded comments. Here are a few of my favorites, with the identities protected:

• "So all I have to do is QSA-shop and then throw them under the bus later in an interview? That's awesome!"
• "QSA output is only as good as the information/honesty, integrity of the client!"
• "Let's see, a captain try blaming the USCG for a faulty inspection after a maritime mishap. Would quickly be an EX-captain. #PCI #HPS #BS"

I agree with the notion that too much blame has been dumped on the QSA and that in most cases a security audit is only as good as the honesty of the client. Clearly, Heartland's security weaknesses were extensive and the responsibility must ultimately rest with everyone up and down the Heartland chain of command.