Ron and Robert, Thanks for both links. The interview on CSOonline.com spurred some interesting thoughts about other ways of presenting presenting the issue of unhelmeted squirrels. I also saw Rich's comments yesterday on Twitter about his letter, but didn't have a chance to read it. I've done that and like what he said.
Here's some of the thoughts I have from both of these documents. Here's a very public example of a PCI "compliant" company who was massively breached. Both the CSOonline article and Rich's letter make the point that PCI compliant does not mean you are secure. Sure the CEO of Heartland is trying to avoid blame, but even he makes the comment that PCI is not bad for a minimal standard, but doesn't reflect real security. Rich takes it a lot further and really hammers that idea home by comparing it to the role of financial audits. People don't like getting attention for negative or embarrassing events. You can bet the CEO of Heartland would rather to not be in the position of giving interviews of what went wrong and what they are doing to improve. Who wants to spend their time remediating their company's image? It might be a powerful visual to take some articles about Heartland's breach and replace the names with company and manager names associated with the my/your company. It gets that emotional reaction going. Use Heartland to illustrate the point that PCI isn't the solution to all security woes. This idea is a bit heavy on the Fear in FUD so I need to think about it some, but I think it deserves some consideration. George SantaYana is credited with saying, "Those who cannot learn from history are doomed to repeat it." Here's a very recent, very relevant event that begs to be learned from. The question I'm thinking about now is how to present these lessons so that it is meaningful to the audience and the end result (dead squirrels and a data breach) can be avoided. Good food for thought. Jason On Thu, Aug 13, 2009 at 7:02 AM, Robert Portvliet < [email protected]> wrote: > Rich Mogull had a few things to say about that yesterday (very good read) > > http://securosis.com/blog > > > > On Thu, Aug 13, 2009 at 6:21 AM, Ron Gula<[email protected]> > wrote: > > All great points .... and now from a CEO who says their QSA's let them > > down: > > > > > > > http://www.csoonline.com/article/499527/Heartland_CEO_on_Data_Breach_QSAs_Let_Us_Down?page=1 > > > > Heartland CEO on Data Breach: QSAs Let Us Down > > > > Heartland Payment Systems Inc. CEO Robert Carr opens up about his > > company's data security breach, how compliance auditors failed to flag > > key attack vectors and what the big lessons are for other companies. > > > > ... > > > > -- > > Ron Gula, CEO > > Tenable Network Security > > > > > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > -- irc: Tadaka Twitter: Jason_Wood jwnetworkconsulting.com
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
