Have you ever left a meeting frustrated that you didn’t get your point across?  Have you ever wondered why other people don’t “get it” when it comes to security?  I certainly know that I have and it was a moment like this that initially caused me to look at the problem differently.  I decided to turn the question around and began asking myself what I was doing that got in the way of other people getting it.

That was about 10 years ago and since then I have learned quite a bit about communicating effectively.  That isn’t to say that I don’t backslide on occasion or that I’m some sort of expert in effective communication.  I’m not but am lucky to know someone that is.  His name is Michael Santarcangelo and if you live near enough to Fairfax, Virginia you have a treat in store for you.

In addition to being a lifelong security professional, Michael is a professional speaker (as in member of the National Speakers Association and not some guy who gets to speak in public occasionally like me).  That means that he has refined the ability to communicate effectively and quickly something that is very important in these days of bullet point meetings and decreased budgets. 

Michael has put together a program to teach others to effectively communicate the value of security and is just about ready to roll it out in an upcoming 15 city tour.  All he needs to do is give it a test run and that is where this amazing opportunity comes in. 

On Saturday July 25^th (This coming Saturday), Michael will be giving a preview of the Communicating the Value of Security Seminar at George Mason University in Fairfax, Virginia.  He has worked with GMU and their Cauldron project to deliver this seminar.  Better still since it is on a Saturday he is offering a pool party and BBQ for the attendees and their families (provided courtesy of Cauldron).  The price is $12.75 per person/family. 

That means that you can pay to attend the seminar and then have your family meet you for the pool party and BBQ for only $12.75.  Now where are you going to be able to feed your family for that price?  I use to live in the DC area and can tell you that you won’t fine anyplace around where you could feed a family of four for under $15.  Even if you consider yourself a master communicator, you can always pick up a tip or trick and at this price can you afford not to go?  The normal seminar will probably be quite a bit more expensive and probably won’t include BBQ and a pool party. 

Check out Michael’s site for a description of the seminar and a link on where you can register.  Please spread the word too.   It is always important to support those in our community that are working to make our jobs easier and Michael is definately one of those.

Business Week has published a pretty good article on the Lessons Learned from the Heartland Data Breach.  I think the title is a bit misleading though.  There aren’t really any lessons learned, at least as far as what we in the security industry would call lessons learned.  Now from a business point of view it does highlight the need to try and get out in front of a story.   

The original draft of this post had me summarizing the Business Week article with a bit of commentary here and there.  As I reread it I realized that I wasn’t really adding anything and what I really wanted to accomplish had very little to do with the timeline and a lot to do with disclosure.

All in all I can’t really fault Heartland on the public relations side of this security incident.  The only two items that don’t seem to jive for me is the claim that Robert Carr, the CEO at Heartland only found out about the breach at 10:30 PM the night of Monday January 12^th and the claim that they didn’t try to bury the disclosure in the middle of the media storm that was the Inauguration of President Obama. 

As the article pointed out, Heartland was informed by VISA in October 2008 that there appeared to be signs of a breach based upon card issuer’s reports.  Heartland took the information seriously enough to go out and hire two forensics companies to examine their systems.  Now I know that Heartland is a big company but when you add up the costs involved in having two different forensics companies come in for at least two months and couple that with the possible implications of a data breach of this magnitude I find it hard to believe that Robert Carr wasn’t at least aware of a critical potential problem before the phone call on January 12^th and if he truly wasn’t then he wasn’t doing his job. 

The second point is the accusation that Heartland tried to bury the story by making their public disclosure in the midst of the media storm surrounding the Inauguration.  Heartland claims that they couldn’t disclose the details until law enforcement were finished with their initial assessment and that they did so “as soon as was practicable.”  It is true that they couldn’t make any announcement in the midst of an investigation but don’t insult my intelligence by implying that the release date and time wasn’t by design. 

Now that I have that off of my chest let me move on.  It is easy to sit out here on the Net and snipe but let’s look at the situation objectively.  Heartland was compliant with industry standards and guidelines.  When they were notified of a possible breach they began an internal investigation.  This investigation most likely involved spending massive amounts of money in the retention of not one but two separate companies that specialize in digital forensics.  When they received official notification that a breach had occurred (Supposition would lead one to conclude that the final document was delivered and briefed to someone at Heartland most likely on January 12^th.) they informed the appropriate authorities.  After law enforcement concludes their initial assessment they make a public announcement and own up to the facts rather than trying to pass the blame on to anyone else.  They follow this up by personally contacting their customers, either in person or by phone.  Since then Carr has spearheaded an effort to encrypt card data at the point of collection as well as co-founding an organization to share security within the payments industry. 

I’m sorry but I can’t find anything to fault here and quite a bit to praise.  I predict that in the years to come the Heartland Incident will become a case study in how to respond to a security incident.  All too often companies try to play the blame game and dance around on the issues.  I think that had Heartland done this they would have taken a bigger hit and garnered a lot more media attention than they already have. 

Not that this has been painless for Heartland says that they lost a few hundred customers; their stock price lost 78% of its value and is currently trading at about 50% of what it was worth prior to the announcement.  They have spent something on the order of $12 million dollars in remediation and mitigation activity thus far.  Expect that number to go up.  TJX is reported to have spent $171 million.

Was Heartland negligent in some way?  Well that has yet to be seen but based upon the information we have thus far I’d venture to say that they weren’t.  Negligence is the failure to exercise the care toward others which a reasonable or prudent person would do in the circumstances, or taking action a reasonable person would not. If they were compliant with industry standards and guidelines coupled with responding appropriately when notified of a problem then I would say that would constitute exercising due care commensurate with a reasonable or prudent person’s actions. 

Now if Heartland isn’t to blame, who is?  There is the assertion that PCI is to blame.  Personally I’m not a fan of competing standards.  I just don’t see why we need so many different standards when we obviously are just repeating ourselves in varying levels of detail.  All that said I’m not so sure it is the fault of PCI or any other standard that Heartland could have applied.  What I believe the issue to be is in the application and measurement of standards and guidelines.  All too often we take an audit mentality when we talk about complying with standards and guidelines.  When we do this we distill everything down into some sort of checklist and then equate this with being secure.  You pass the audit you are secure; you fail the audit you are not secure.  The Heartland Incident is just another example of this being a false premise.

Now I don’t want to appear to be advocating the proverbial throwing the baby out with the bath water.  What we need to do is find some way to encourage and support companies to make informed risk based decisions about security.  We can utilize standards and guidelines as frameworks upon which to build sound security practices but we also need to find a way to support companies to make security decisions based upon acceptable risk and not compliance. 

But do you want to know what the kicker is to all of this?  It is that if we do this then we will eventually come across a company that does all the right things and still has a security breach.  That will be the moment of truth.  How do we react?  Do we support the company for doing the right things and making sound risk based decisions or do we slam them for non-compliance with an arbitrary set of standards and guidelines? 

If we slam them then we are right back to where we are now. Stuck in the quagmire of checklist/compliance driven security which we know doesn’t work.  If we support them and use the security breach as an opportunity to learn from the mistake in order to improve then we’ve turned the corner. 

I’m not saying that I have all the answers either.  There has to be some measure of incentivizing companies to incorporate security into their processes other than forcing compliance with a law or regulation.  I’m just not quite sure what that is.  I do know that what we are doing now isn’t working.

I wanted everyone to know that the audio version of “Into the Breach: Protect your Business by Managing People, Information, and Risk” has just been released.  I reviewed the hardcopy version back in March and was just sent the brand new audio version.  If you are anything like me there is always too much to read so it is nice to have a version that I can listen to on the way to the airport or during other times where reading it isn’t an option.  The audio version has a smooth clean professional feel to it.  Michael Santarcangelo reads the book himself and unlike most authors, Michael is a professional speaker.  That means the awkward pauses or monotone cadence that is often present in author read books aren’t there.  Michael comes across as if he is sitting next to you explaining the process.  The audio version is very well done and an excellent complement to the written version. 

Check out a snippet of the audio version of the book at:
http://www.securitycatalyst.com/innovation/security-catalyst-podcast/

Just wanted everyone to know that I’ll be teaching a new seminar on Cybersecurity July 16th at the Willard InterContinental in Washington DC.  The class is aimed at government executives, managers, and system owners rather than folk in the security industry (though I’d love to see you guys and gals there as well.)

We’ll be defining Cybersecurity, discussing the various threats, discussing the pertinent federal regulations, and discussing the Cyberspace Policy Report that was just released by the White House. 

If you work for or support government and know someone who may benefit from this seminar please forward them the following link:

Cybersecurity for New Government Executives, Managers, and System Owners  (www.potomacforum.org/?view=308)

I look forward to seeing you there!