Rich Mogull’s stern admonitions (http://securosis.com/blog/an-open-letter-to-robert-carr-ceo-of-heartland-payment-systems/) to Robert Carr, the CEO of Heartland Payment Systems, after Carr’s interview by CSO Online (http://www.csoonline.com/article/499527/Heartland_CEO_on_Data_Breach_QSAs_Let_Us_Down) are shrill and overstated. Mogull took several paragraphs to refute something attributed to Carr that never appeared in the Carr interview: that Carr blames his QSAs for his breach.

In the article, Carr never blamed his QSAs for the breach. Carr does say, “The audits done by our QSAs were of no value whatsoever,” and he later says, “The false reports we got for 6 years (from our QSAs), we have no recourse. No grounds for litigation.” While these statements might imply that the QSAs were to blame, they are a long way from making that assertion.

Carr expresses frustration that nothing his QSAs did in any way prepared Heartland to discover or defend against the attack. An aggrieved shareholder might have said the same thing about financial audits at Enron; why didn’t the auditors tell us about the massive fraud? Or how about Lehman Brothers shareholders’ plight? Who should have told them about the impending crash? Carr’s frustration seems to be that when he looked at the contract with his QSA, he realized that the QSA had no obligation to tell Heartland about the possible existence of vulnerabilities that might be exploited.

It is ironic that Heartland will rely on those very same QSA reports as a key part of their defense against those who are suing them over the incident. Claimants will say Heartland “knew or should have known about the existence of an exploitable vulnerability.” Obviously, Carr intends to argue that Heartland relied absolutely on the QSA reports and was shocked, SHOCKED, when the breach was discovered only moments after their most recent PCI clean bill of health.

The weakness of Mogull’s argument is obvious from Carr’s and Heartland’s new commitment to leading edge security, focused on “data in transit” as well as major new initiatives in data loss prevention (DLP) that go well beyond the scope of the PCI-DSS. If Carr really thought his QSAs and not Heartland were to blame for the breach – as Mogull claims – why would Carr now embark on these initiatives? Would Carr not claim, “look at our PCI report and see that we are clearly doing enough to prevent breaches to cardholder data,” if Mogull is right?

Mogull’s patronizing letter goes on and on pontificating about Carr’s role as CEO and explaining the issues with accountability, roles and independence with which Carr obviously needs no help.

Mogull criticizes Carr for “rely(ing) completely on an annual external assessment to define the whole security posture of his organization.” This is an outrageous accusation against Heartland; one might infer that they had no security staff or that they were dolts. The fact is that Heartland did not “rely completely” on their QSAs and they can prove they didn’t. Of course, we do not know the contents of the confidential report given Heartland by its QSAs and we do not know whether the QSAs gave them a soothing reassurance that all was OK. We do know that Carr thought he paid his QSAs for more and only after he read the fine print did he discover that more was a pipe dream.

All of this lather shifts attention away from PCI-DSS. PCI-SSC and the card brands might consider a reduced system of fines for cases where the processor or merchant passed their PCI assessment but still experienced a breach. As we’ve seen with Heartland and CardSystems Solutions, having a breach is no fun and costs a lot. Adding punitive PCI fines seems to be piling on, a substantial infraction in the NFL, yielding a 15-yard penalty and automatic first down. And it would really help if PCI-SSC would stop saying “We’ve never seen anyone who was breached that was PCI compliant.” This is an absurdity that perpetuates the fiction that (a) having a PCI certificate equates to being secure, and (b) following PCI is enough.

Bottom line, rants like Mogull’s do not help because they unfairly characterize the Heartlands of the world as trying to weasel out of accountability for security. We should instead be asking how companies like Heartland can better avoid breaches and provide them incentives for a positive track record, something that may be more effective than penalties and fines at this point. Like that old joke about 5,000 lawyers at the bottom of the ocean, PCI-DSS is a good start. But PCI-DSS is not the final word and PCI-SSC knows that. They have put out a request for comments and suggestions for improvements to version 1.2.

a well-informed sense of assurance that
information risks and controls are in balance.

This new definition illustrates an imperative in the practice of information security: information security is not a “thing.” It is not a snapshot. But it is a feeling. And, ultimately, information security is a feeling within human beings who are called upon to make conclusions and definitions about the trustworthiness of any given system regarding protections around information. I think information security professionals are uncomfortable with the idea that information security can be defined as a “feeling.” It sounds too “touchy-feely.” But using the feeling based definition of information security is essential because it will serve to focus our attention as a professional discipline on the holistic problem of building a sense of assurance within diverse groups of people about the security — the set of controls and risks around a given information system — of an organization. This assurance based definition of information security forces not only a level of transparency about the actual functioning of controls but to a certain extent a dialogue with principals — whether they be CEOs, consumers, or those who procure third-party information services — about their tolerance for risk. The beauty of the “best practices” approach to information security is that one can ask the question “do you have two factor authentication,” get an answer, and make a mark on a checklist. At some level this is satisfactory to all the parties at the table. However, in an era of revelations about new billion dollar Ponzi schemes each week, the importance of transparency and due diligence has been rediscovered. Simply asking “do you have two factor authentication” and getting a yes/no response does not even approach the level of understanding that is needed to conclude whether or not authentication security is adequate and appropriate for the information at hand. An assurance based information security definition will force information security professionals to understand at a new level of transparency not only the mechanisms by which controls function but the degree to which controls have been properly implemented. Similarly, an assurance based approach to information security will force those who operate controls to not only understand at a new level of transparency how those controls function but be able to measure and demonstrate how the functioning of those controls over a period of time achieves a defined level of protection. Without assurance, information security as a practice is stuck on “talk” about CIA, about risk management (whatever that is) etc. Once assurance is factored in to the mix, information security practitioners are forced to “walk the talk” — that is to define and understand the level of operational control that is achieved in any system or organization after a given quantity of due diligence, investigation and conclusions is input.

I had a great conversation recently with a friend of mine who is eminently qualified with deep academic credentials within the practice of information security. We touched on the topic of whether or not information security was a science. The unfortunate truth about today’s level of practice of information security is that there’s hardly any science involved. Sure there’s some math involved in the crypto side of things but science is not a major underpinning of our discipline as yet. Today, information security is much more of an art than a science. Artists make art and whether or not a given painting or a musical composition is art is quite subjective. I would argue far too subjective to form the basis of a discipline so as important as information security. Information security needs to move to a world where facts, hypotheses, theories, and perhaps even proofs provide important underpinning to the risk decisions made by key stakeholders about whether or not information is safe. Only when we move to an assurance based definition can we begin to know with any certainty whether or not an organization is merely “talking a good game” or is able to demonstrate that they “walk the talk.” Let’s begin asking CEOs, regulators, and other stakeholders how they know that a given control asserted to be in place at a given organization is in fact adequate. One of the reasons large auditing firms play such an important role in today’s world of financial due diligence is that they have a well developed set of procedures to test the systems of internal controls — including information security controls — of their respective audit clients. But while these procedures do a good job of allowing auditors to discover whether controls are implemented and operating properly, they are very costly and don’t really get at the question of how much risk is appropriate to take. This is where information security professionals have to focus their attention.

The present financial crisis provides the perfect opportunity for infosec professionals to refocus their attention on how to achieve assurance within an organization or system. Financial professionals are struggling to understand how it came to pass that risk rose to such high levels that (in some cases) firms went bankrupt or were nationalized. Similarly, infosec professionals need to work with their principal stakeholders to understand their appetite for risk and which controls operated in precise ways will serve in combination to control those risks appropriately. This will require more science not only to define and measure levels of risk acceptance but to define and measure precisely the effectiveness and operation of certain controls that we all take for granted in the protection of information.