Why so much credit and "good" publicity for Heartland Mgmt for not practicing proper risk management?

Today in my in-box I got yet another invitation to attend a webinar that uses the Heartland Data Breach for some sort of benefit to the sponsoring organization. Yea, everyone is doing it. Just like we all did with TJX.

What annoys me is seeing those that were in IT Management (leading up to and at the time of the breach) being put up on a pedestal. Especially those that were ultimately responsible for the information security of the organization. It strikes me as odd that this occurred on their dime and they are now making dollars because of it. I'm not blaming them directly, at least I don't think I am.

Regardless of who ultimately turns out to be "the bad guy" in the whole Heartland breach fiasco, most breaches (the publicly disclosed ones anyways) are ultimately found to be avoidable. Most could have been avoided by having an information security program that's properly aligned with the organizations overall risk management program. The PCI DSS is supposed to promote this model, but many organizations jump right to focusing on meeting the minimum requirements of the DSS. Having a QSA (qualified security Assessor) wave his magical Report-On-Compliance wand and deem you PCI compliant isn't the solution.


  1. I think their CEO and security team deserve credit because they faced the music and are making a huge effort to get the word out on how to make things better. They are a solid team over there and are victims of a surge in hacker talent. Isn't it better that they help sibling organizations learn from their troubles?

    Seems like honorable behavior to me.


  2. I really wish this were the case. As the recent interview with Heartland CEO Mr. Carr points out, he is blaming the QSA's and claiming ignorance.

    They need to disclose the details of exactly how this happened and then I would agree that they are actually doing something to help prevent things like this from happening in the future.