"The question I'm thinking about now is how to present these lessons so that it is meaningful to the audience and the end result (dead squirrels and a data breach) can be avoided."
I'd recommend walking into the meeting with a dead squirrel on a tray & just plopping it down on the table. That'll get their attention. Let us know how that goes... :-) ________________________________ From: [email protected] [mailto:[email protected]] On Behalf Of Jason Wood Sent: Thursday, August 13, 2009 12:45 PM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Question about PCI audit results and reality.... Ron and Robert, Thanks for both links. The interview on CSOonline.com spurred some interesting thoughts about other ways of presenting presenting the issue of unhelmeted squirrels. I also saw Rich's comments yesterday on Twitter about his letter, but didn't have a chance to read it. I've done that and like what he said. Here's some of the thoughts I have from both of these documents. Here's a very public example of a PCI "compliant" company who was massively breached. Both the CSOonline article and Rich's letter make the point that PCI compliant does not mean you are secure. Sure the CEO of Heartland is trying to avoid blame, but even he makes the comment that PCI is not bad for a minimal standard, but doesn't reflect real security. Rich takes it a lot further and really hammers that idea home by comparing it to the role of financial audits. People don't like getting attention for negative or embarrassing events. You can bet the CEO of Heartland would rather to not be in the position of giving interviews of what went wrong and what they are doing to improve. Who wants to spend their time remediating their company's image? It might be a powerful visual to take some articles about Heartland's breach and replace the names with company and manager names associated with the my/your company. It gets that emotional reaction going. Use Heartland to illustrate the point that PCI isn't the solution to all security woes. This idea is a bit heavy on the Fear in FUD so I need to think about it some, but I think it deserves some consideration. George SantaYana is credited with saying, "Those who cannot learn from history are doomed to repeat it." Here's a very recent, very relevant event that begs to be learned from. The question I'm thinking about now is how to present these lessons so that it is meaningful to the audience and the end result (dead squirrels and a data breach) can be avoided. Good food for thought. Jason On Thu, Aug 13, 2009 at 7:02 AM, Robert Portvliet <[email protected]> wrote: Rich Mogull had a few things to say about that yesterday (very good read) http://securosis.com/blog On Thu, Aug 13, 2009 at 6:21 AM, Ron Gula<[email protected]> wrote: > All great points .... and now from a CEO who says their QSA's let them > down: > > > http://www.csoonline.com/article/499527/Heartland_CEO_on_Data_Breach_QSA s_Let_Us_Down?page=1 > > Heartland CEO on Data Breach: QSAs Let Us Down > > Heartland Payment Systems Inc. CEO Robert Carr opens up about his > company's data security breach, how compliance auditors failed to flag > key attack vectors and what the big lessons are for other companies. > > ... > > -- > Ron Gula, CEO > Tenable Network Security > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com -- irc: Tadaka Twitter: Jason_Wood jwnetworkconsulting.com
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
