An Open Letter to Heartland CEO Robert Carr
The first thing I wanted to touch on was Heartland. It's as if I wasn't away from blogging at all. My last blog addressed Heartland Payment System's CEO talking about 'end-to-end' encryption. I suppose that PR move didn't do as much as it was designed to, or perhaps it was just the beginning of a series of rather interesting statements, interviews and speeches to follow.
So, fast forward seven months or so, and we hear an interview from Heartland's CEO Robert Carr with CSO Magazine. A number of interesting comments made by Mr. Carr in that interview, like the statement "I told them (employees of Heartland) their job was to be up front with our customers and tell them what it means for them. Let us be the one to tell them first, not the press. Being candid has been key." or "The audits done by our QSAs (Qualified Security Assessors) were of no value whatsoever."
A number of security insiders have taken serious offense to Mr. Carr's comments - as they rightfully should.
Many of these comments simply left me scratching my head (I am almost raw from all the scratching by now). A number of security insiders have taken serious offense to Mr. Carr's comments - as they rightfully should. So, I won't bother repeating any of that.
I thought I would address some of the things I find rather interesting in an open letter to Mr. Carr. So, here it is -
I can't even begin to imagine what your organization has been through since the Heartland Payment System breach was announced earlier this year.
I am no judge of whether Heartland has addressed this situation in the best possible manner it could have, but something tells me that your organization decided from very early on to accept the fact head-on that the firm was breached (as if you had a choice to sweep it under the rug).
However, be it part of a strategic effort or it just happened to be that way - the firm has tried all the techniques to divert attention from the breach itself to other matters. We heard that the firm is "spearheading an effort in the industry to call for 'end-to-end' encryption." We heard that 'the auditors let you down.' We heard that the firm formed a payment-processing council to share information. That's all well and good. Here's what we would have preferred to hear from the firm:
- What was the firm's Information Security program like (no one wants to know the specifics of the program), say, a couple of years before this breach?
- What were the firm's capabilities in terms of intrusion protection prior to this breach?
- Was Information Security ever on your board's agenda during regular meetings?
- Were there appropriate resources assigned for Information Security function in terms of budgets and personnel, again a couple of years prior to this breach?
- What programs were in-place to educate your clients and employees on Information Security matters?
- Was there a defined periodic risk assessment practice in-place at the organization prior to this breach? Was there a process in-place to brief the board members on the results of such risk assessments?
I am not insinuating that all of these items outlined above were not being undertaken by your organization. However, not addressing these in a straightforward manner gives an impression that the organization is trying to divert attention from such topics to other matters surrounding this breach.
I must say that I admire the courage you have shown to talk about security issues in front of the folks who live and breathe security as their profession. But dropping your security vendors' products names won't simply get you off the hook. It's not only the security practitioners you have been addressing lately who were hurting because of this breach at Heartland. It was a sea of merchants of all sizes who were in the midst of this. It's the bankers throughout the country who have to answer to their angry customers and explain (as much as they can) why there could possibly be fraudulent charges on their accounts.
In addition to all the payments and security-related gatherings you have been addressing lately, I suggest you hold a meeting for these bankers. These are the organizations who are taking the most heat from their customers for what happened at Heartland. As you are protecting your shareholders, they have to do the same for their investors. Hopefully, it will be a meeting of equals, and collectively we will be able to address vulnerabilities that are inherent in the entire system.
If you will continue to be the 'face' of Heartland Payments on security issues -- and I suspect you will for some time to come -- then I suggest next time we try to address some of the items listed above instead of just talking about 'QSAs letting you down.'