PaulDotCom mailing list archives

Question about PCI audit results and reality....

From: NSweaney at tulsacash.com (Nathan Sweaney)
Date: Fri, 14 Aug 2009 08:36:01 -0500

"The question I'm thinking about now is how to present these lessons so
that it is meaningful to the audience and the end result (dead squirrels
and a data breach) can be avoided."

 

I'd recommend walking into the meeting with a dead squirrel on a tray &
just plopping it down on the table.  That'll get their attention.  Let
us know how that goes... :-)





 

________________________________

From: pauldotcom-bounces at mail.pauldotcom.com
[mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Jason Wood
Sent: Thursday, August 13, 2009 12:45 PM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Question about PCI audit results and
reality....

 

Ron and Robert,
Thanks for both links.  The interview on CSOonline.com spurred some
interesting thoughts about other ways of presenting presenting the issue
of unhelmeted squirrels.  I also saw Rich's comments yesterday on
Twitter about his letter, but didn't have a chance to read it.  I've
done that and like what he said.  

Here's some of the thoughts I have from both of these documents.

Here's a very public example of a PCI "compliant" company who was
massively breached.  Both the CSOonline article and Rich's letter make
the point that PCI compliant does not mean you are secure.  Sure the CEO
of Heartland is trying to avoid blame, but even he makes the comment
that PCI is not bad for a minimal standard, but doesn't reflect real
security.  Rich takes it a lot further and really hammers that idea home
by comparing it to the role of financial audits. 

People don't like getting attention for negative or embarrassing events.
You can bet the CEO of Heartland would rather to not be in the position
of giving interviews of what went wrong and what they are doing to
improve.  Who wants to spend their time remediating their company's
image?  It might be a powerful visual to take some articles about
Heartland's breach and replace the names with company and manager names
associated with the my/your company.  It gets that emotional reaction
going.  Use Heartland to illustrate the point that PCI isn't the
solution to all security woes.  This idea is a bit heavy on the Fear in
FUD so I need to think about it some, but I think it deserves some
consideration.  

George SantaYana is credited with saying, "Those who cannot learn from
history are doomed to repeat it."  Here's a very recent, very relevant
event that begs to be learned from.  The question I'm thinking about now
is how to present these lessons so that it is meaningful to the audience
and the end result (dead squirrels and a data breach) can be avoided.

Good food for thought.

Jason  

On Thu, Aug 13, 2009 at 7:02 AM, Robert Portvliet
<robert.portvliet at gmail.com> wrote:

Rich Mogull had a few things to say about that yesterday (very good
read)

http://securosis.com/blog




On Thu, Aug 13, 2009 at 6:21 AM, Ron Gula<rgula at tenablesecurity.com>
wrote:

All great points .... and now from a CEO who says their QSA's let them
down:

http://www.csoonline.com/article/499527/Heartland_CEO_on_Data_Breach_QSA
s_Let_Us_Down?page=1


Heartland CEO on Data Breach: QSAs Let Us Down

Heartland Payment Systems Inc. CEO Robert Carr opens up about his
company's data security breach, how compliance auditors failed to flag
key attack vectors and what the big lessons are for other companies.

...

--
Ron Gula, CEO
Tenable Network Security


_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com




-- 

irc: Tadaka
Twitter:  Jason_Wood
jwnetworkconsulting.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090814/3c77b971/attachment.htm

Current thread:

Question about PCI audit results and reality...., (continued)
- - Question about PCI audit results and reality.... Jason Wood (Aug 12)
    - Question about PCI audit results and reality.... Chris Merkel (Aug 12)
- Question about PCI audit results and reality.... Paul Asadoorian (Aug 12)
  - Question about PCI audit results and reality.... Shawn Bernard (Aug 12)
- Question about PCI audit results and reality.... Joel Folkerts (Aug 12)
  - Question about PCI audit results and reality.... Mike Patterson (Aug 12)
- Question about PCI audit results and reality.... Jack Daniel (Aug 12)
  - Question about PCI audit results and reality.... Ron Gula (Aug 13)
    - Question about PCI audit results and reality.... Robert Portvliet (Aug 13)
    - Question about PCI audit results and reality.... Jason Wood (Aug 13)
    - Question about PCI audit results and reality.... Nathan Sweaney (Aug 14)
    - Question about PCI audit results and reality.... Robert Miller (Aug 20)
    - Question about PCI audit results and reality.... Edward Frye (Aug 21)
- Question about PCI audit results and reality.... Nathan Sweaney (Aug 12)