Today in my in-box I got yet another invitation to attend a webinar that uses the Heartland Data Breach for some sort of benefit to the sponsoring organization. Yea, everyone is doing it. Just like we all did with TJX.
What annoys me is seeing those that were in IT Management (leading up to and at the time of the breach) being put up on a pedestal. Especially those that were ultimately responsible for the information security of the organization. It strikes me as odd that this occurred on their dime and they are now making dollars because of it. I'm not blaming them directly, at least I don't think I am.
Regardless of who ultimately turns out to be "the bad guy" in the whole Heartland breach fiasco, most breaches (the publicly disclosed ones anyways) are ultimately found to be avoidable. Most could have been avoided by having an information security program that's properly aligned with the organizations overall risk management program. The PCI DSS is supposed to promote this model, but many organizations jump right to focusing on meeting the minimum requirements of the DSS. Having a QSA (qualified security Assessor) wave his magical Report-On-Compliance wand and deem you PCI compliant isn't the solution.