Question about PCI audit results and reality....

[tadaka at gmail.com (Jason Wood)]

Ron and Robert,
Thanks for both links.  The interview on CSOonline.com spurred some
interesting thoughts about other ways of presenting presenting the issue of
unhelmeted squirrels.  I also saw Rich's comments yesterday on Twitter about
his letter, but didn't have a chance to read it.  I've done that and like
what he said.

Here's some of the thoughts I have from both of these documents.

Here's a very public example of a PCI "compliant" company who was massively
breached.  Both the CSOonline article and Rich's letter make the point that
PCI compliant does not mean you are secure.  Sure the CEO of Heartland is
trying to avoid blame, but even he makes the comment that PCI is not bad for
a minimal standard, but doesn't reflect real security.  Rich takes it a lot
further and really hammers that idea home by comparing it to the role of
financial audits.

People don't like getting attention for negative or embarrassing events.
You can bet the CEO of Heartland would rather to not be in the position of
giving interviews of what went wrong and what they are doing to improve.
Who wants to spend their time remediating their company's image?  It might
be a powerful visual to take some articles about Heartland's breach and
replace the names with company and manager names associated with the my/your
company.  It gets that emotional reaction going.  Use Heartland to
illustrate the point that PCI isn't the solution to all security woes.  This
idea is a bit heavy on the Fear in FUD so I need to think about it some, but
I think it deserves some consideration.

George SantaYana is credited with saying, "Those who cannot learn from
history are doomed to repeat it."  Here's a very recent, very relevant event
that begs to be learned from.  The question I'm thinking about now is how to
present these lessons so that it is meaningful to the audience and the end
result (dead squirrels and a data breach) can be avoided.

Good food for thought.

Jason

On Thu, Aug 13, 2009 at 7:02 AM, Robert Portvliet <
robert.portvliet at gmail.com> wrote:

> Rich Mogull had a few things to say about that yesterday (very good read)
>
> http://securosis.com/blog
>
>
>
> On Thu, Aug 13, 2009 at 6:21 AM, Ron Gula<rgula at tenablesecurity.com>
> wrote:
> > All great points .... and now from a CEO who says their QSA's let them
> > down:
> http://www.csoonline.com/article/499527/Heartland_CEO_on_Data_Breach_QSAs_Let_Us_Down?page=1
> > Heartland CEO on Data Breach: QSAs Let Us Down
> >
> > Heartland Payment Systems Inc. CEO Robert Carr opens up about his
> > company's data security breach, how compliance auditors failed to flag
> > key attack vectors and what the big lessons are for other companies.
> >
> > ...
> >
> > --
> > Ron Gula, CEO
> > Tenable Network Security
> >
> >
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com



-- 

irc: Tadaka
Twitter:  Jason_Wood
jwnetworkconsulting.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090813/8dce62e1/attachment.htm