I’ve been a bit lax with the blog lately and for that I’m sorry.  The reason will be clear in a few weeks when I hope to be able to make an announcement.  For now though I’d like to just provide my apologies.

This post started out as my commentary on two recent articles that appeared in CSO Magazine concerning the data breach at Heartland Payment Systems (“Heartland CEO on Data Breach: QSAs Let Us Down” and “SQL Injection Attacks Lead to Heartland, Hannaford Breaches.”) 

Now what I do to write these posts is basically sit down and let it just flow out of me.  I then go back and do a little clean up as needed.  Sometimes the clean up needed is so much I just trash the post.  Other times I realize that a concept that came up late post is really what the post should have been about in the first place.  That is the case this time.  So I’ve basically thrown out three quarters of the pontificating (which you really didn’t want to hear anyway) and focused on the analogy that information security is much like professional cooking. As I put this together I glanced down at the word count and realized that this was growing to be much more than the simple post that I initially envisioned.  So what I’ll do is break it up into a few parts to try and get my point across.  Let me know if I was successful. 

How did I come up with this analogy?  Well it was mainly sparked by a comment made by Heartland CEO Robert Carr in the first article mentioned above.  That comment was:

“The audits done by our QSAs (Qualified Security Assessors) were of no value whatsoever. To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem. The QSAs in our shop didn’t even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware. I thought, ‘You’ve got to be kidding me.’ That people would know the exact attack vector and not tell major players in the industry is unthinkable to me. I still can’t reconcile that.”

In this first part I’m going to set up the analogy and then dive into it within the subsequent posts. 

While I’ve been critical of some of the statements that Mr. Carr has made in the past I basically think that he has done a great job in responding to the crisis his company is in.  True he may have been forced into this response by circumstances but I’m not going to look a gift horse in the mouth.  A CEO of a major corporation has finally come to realize the importance of information security in the daily operations of his company.  However you look at it that is a good thing.  That he has become proactive in advancing our cause is an even better thing. 

What concerns me though is Mr. Carr’s statement.  He may be doing the right thing but I don’t want him to do it for the wrong reason because in the end it won’t help us out, it may even hurt us. 

You see Mr. Carr’s statement smacks of “missing the forest for the trees.”  He seems to understand that he must do something but doesn’t really understand the real reason behind it.  So this is my effort to try and shed some light onto the subject.  Will Mr. Carr ever read this?  Who knows but that really isn’t important as long as this helps someone.  So if this makes sense and you want to use it go right ahead.  (Just give me credit in some way.)

Let me take a stab at reconciling the issue.  The QSAs didn’t necessarily fail.  They audited to a known and accepted standard.  PCI DSS didn’t even necessarily fail; it is what it is a standard.  What failed you was the commonly held assumption that compliance equals security. 

When push comes to shove, SQL injection has been around for a long time so the fact that systems are still regularly found to have input validation issues is surprising.  Since we can’t blame the QSAs should we blame the developers?  We could but again we’d be missing the forest for the trees.  These are but symptoms of the problem.  How do we get at the problem?  In trying to get a handle on this I’ll try my hand at a little analogy.  That being that Information Security is a lot like professional cooking.  I’ll illustrate this by first focusing on how recipes are a lot like standards (Part Two) and then I’ll move on to broaden the image by relating what we do in information security to working in a professional kitchen.

Tags: Compliance, CSO Magazine, Data Breach, developers, Heartland Payment Systems, information risk management, insider threat, PCI, PCI DSS, professional cooking, professional kitchen, QSA, recipes, risk management, Robert Carr, SQL Injection, standards

Okay this week the post is going to be a bit of a cop out.  Things have been a bit hectic around here and while that is a good thing, it is typically just me that can do them.  I know that I have a few series postings that I need to finish up but billable work must come first. 

What I wanted to mention this week is an article out on CSO Online by Joan Goodchild.  It is entitled “5 Steps to Communicate Security’s Value to Non-security People” and is based on an interview with Michael Santarcangelo.  If you recall that I reviewed Michael’s book last week (wow – it seems like that was a month or so ago) and I was part of a podcast put out by Michael’s company, the Security Catalyst. 

Needless to say I’m a Michael Santarcangelo fan and, in the spirit of full disclosure, we’re discussing some collaborative efforts sometime in the near future.  (More on that as we work the details out.)

Anyway – back to the article:  Ms Goodchild’s article is a timely one as it addresses what information security practitioners can do to demonstrate their relevance in these tough economic times.   The article covers the five steps that you can take to communicate effectively and demonstrate your value.  I think that the time that you take to read the article will be well spent. 

I’ll be back next week with my usual long winded posts.  J

Tags: communication, CSO Magazine, CSO Online, effective communication, Joan Goodchild, Michael Santarcangelo, Security Catalyst

Bill Brenner, Senior Editor over at CSO Magazine has a great Podcast where he covers a recent security gathering in Boston, MA.  The one that captured my attention is a summary of some Forrester Research study on the increase in security spending.  According to their research, and I’m just going on the information from the Podcast,  I haven’t read the paper yet, FUD has fueled an approximate 10% increase in information security budgets – a 2% increase over last year. 

If you have the time – and you only need seven and a half minutes – it is worth your time to listen to Bill Brenner’s Podcast. 

Tags: Bill Brenner, budget increase, CSO Magazine, FUD, Podcast