This week’s personal responsibility award goes to Rich Mogull for his excellent point-for-point response to Robert Carr, Heartland CEO, blame-it-on-the-QSA interview with CIO Magazine.  (If you need a summary read Michael Farnum’s notes at Computerworld.)

I fully support Bob Carr, who in 2007 was given the E&Y Entrepreneur of the Year award.  I think he is an innovator who took the unfortunate data breach and used it as a chance to evangelize for not just stricter but smarter data security controls.  I was happy to read about his implementation of end-to-end encryption in an effort to further thwart the carders.

What I don’t support is when people blame others for their problems.  A good leader knows to take responsibility for the actions of the actions of those they manage.  I find it disappointing that such a leader would bow to the blame-game and not just say, ‘Hey, we had a problem, we are fixing it, let’s move on.’

Perhaps it is something he must say legally, or perhaps he will never trust an external auditor again (financial or technical), but I must ask the same statement that Rich does.

As the CEO of a large public company you clearly understand the role of audits, assessments, and auditors. You are also fundamentally familiar with the concepts of enterprise risk management and your fiduciary responsibility as an officer of your company. Your attempts to shift responsibility to your QSA are the accounting equivalent of blaming your external auditor for failing to prevent the hijacking of an armored car.

Rich furthers this point by saying:

The role of your QSA is to assure your compliance with the standard, not secure your organization from attack. Their role isn’t even to assess your security defenses overall, but to make sure you meet the minimum standards of PCI.

If we look at the 10 Fallacies of PCI and read the 10 Myths of PCI [PDF] direct from the PCI SSC, you can see Myth #4 says, “PCI will make us secure”. I’m not sure how much clearer one can say it.

Successful completion of a system scan or assesssment for PCI is but a snapshot in time. Security exploits are non-stop and get stronger every day, which is why PCI compliance efforts must be a continuous process of assessment and remediation to ensure safety of cardholder data.

I am not saying the QSA did or did not do their job.  I do not know the facts surrounding the case and thus cannot speculate.  What I do know is that, either way, the QSA obtained their information from the corporate IT professionals.  In fact a major validation step is that of interviewing internal staff.  It it through these interviews and inspection of various devices and configurations that the QSA determines the scope of the assessment and the security of an organization.

In fact the Verizon DBIR report noted situations where a company may have security controls in place but do not monitor them over time.  The QSA examines the settings and processes of an organization at a point in time, but is not there every day to ensure these processes are performed.

The apparent ineffectiveness of event monitoring and log analysis continues to be somewhat of an enigma. The opportunity for detection is there; investigators noted that 66 percent of victims had sufficient evidence available within their logs to discover the breach had they been more diligent in analyzing such resources. Though lower than in previous years (it was 82 percent from 2004 to 2007), this finding still suggests that realized effectiveness remains much lower than potential effectiveness.

Rich points out a very important part of personal responsibility.

It is unfortunate that your assessors were not up to date on the latest electronic attacks, which have been fairly well covered in the press. It is even more unfortunate that your internal security team was also unaware of these potential issues, or failed to communicate them to you (or you chose to ignore their advice).

Regardless of where the blame falls in this situation, it’s the responsibility of a leader to say ‘mia culpa’ and move on.  I think Bob made excellent use of the media attention to drive technology in the right direction to stem the spread of payment-card data compromise.  I hope he is remembered for his leadership and not his blame of others.