by adam on August 13, 2009
Bill Brenner has an interview with Robert Carr, the CEO of Heartland. It’s headlined “Heartland CEO on Data Breach: QSAs Let Us Down.” Some smart security folks are outraged, asserting that Carr should know the difference between compliance and security, and audit and assessment. Examples include Rich Mogull’s “Open Letter to Robert Carr” and Alan Shimel’s “Heartland CEO thought QSA’s would make him compliant and secure.”
It is unfortunate that your assessors were not up to date on the latest electronic attacks, which have been fairly well covered in the press. It is even more unfortunate that your internal security team was also unaware of these potential issues, or failed to communicate them to you (or you chose to ignore their advice).
One definition of insanity is to keep doing the same thing over and over and expect different results. Without disagreeing with Rich about the responsibilities of the CEO, we in infosec make lots of assertions about what other people should know. But we rarely test if our attempts to educate get through. There are lots of people who assert, correctly, that the CEO needs to know X, Y and Z. But it’s the responsibility of the people under him to communicate effectively, and reading Brenner’s interview, it’s pretty clear that Heartland’s infosec people didn’t deliver a message that sank in. What’s the message that sinks in? Real hard numbers about how often these things happen and their impact, so the CEO can allocate scarce resources based on something other than assertions that he must invest in this or that. Switching gears for a moment, Alan wrote:
Isn’t that the real travesty of our industry though? Only after the cows have run out and the barn has burned down does anyone really give a crap. Even by his own admission with what happened to him and his company, when he goes to talk to others in his industry the feeling is still it can’t happen to them. What will it take? Does every single one need to to have a security incident?
What it will take is talking about what goes wrong. That’s why I’m glad Carr is speaking out, but he’s doing so anecdotally. As Carr asks:
The QSAs in our shop didn’t even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware. I thought, ‘You’ve got to be kidding me.’ That people would know the exact attack vector and not tell major players in the industry is unthinkable to me. I still can’t reconcile that.”
Why can that malware be used in 300 attacks, and “compliance” not involve a validation that the AV in use will catch it? It’s because we don’t talk about what’s going wrong. We keep saying the same things over and over, and hoping that they’ll work differently. But here’s a prediction: if the QSAs had said “your anti-malware is missing malware that’s been implicated in 300 breaches,” that issue would have been cleaned up inside of days, either by the vendor adding signatures, or being replaced.
The outrage is that we’re still, as Carr and I put it, sweeping it all under the rug.