cutting corners with security*

There’s a comment over on Mogull’s blog post for the Heartland Payment Systems incident that was announced the other day. I wanted to link to it quick and highlight it. I won’t post the name or even copy the comment itself, but rather paraphrase (I’m just avoiding searches, especially if the comment gets removed later):

I have worked for the company for many years. They cut corners. They have big problems internally.

For the moment, let’s assume this comment is truthful and legit. A couple points I will use this for:

1. You get the real story on security the farther down into the trenches you get. Yes, you get far less actual risk management and ability to accept risk, but you get the real deal down with the techs who have their fingers on the pulse of the network and systems and processes. Any respectable security posture should include information-gathering from them.

2. Look behind the curtains of any company, and I would estimate that 99% cut corners, even up to making very huge mistakes or oversights. This is why pen-testing is not going away or beginning to die. This is economics, really, and part of the superficial facade that a business can throw up to anyone looking too closely. A role-play exercise for a security posture should be to pretend your systems and processes are suddenly transparent. What would the experts point out? What would Mike Rothman do? (Along the lines of ‘What would Brian Boitano do?”) This might throw eggs at “some security through obscurity,” but assume that still gives value and can be only looked at lightly. Really, the role-play should expose the real problems.

3. Is it possible for PCI to improve a poor security posture that has been an active choice for that entity? If a company is cutting corners, choosing to accept risk poorly, or simply incompetent, I would bet they will actively make sure PCI doesn’t catch it, or outright lie, fudge, or (hah) cut corners with the Assessor.

*”Cutting Corners With Security” reminds me too much of the book series that might read, “How to Cheat at Securing Your Shit.”

One thought on “cutting corners with security*

  1. RE: #3 – Yep! Certification is not necessarily evidence of diligence. Until it is evidence of diligence, PCI is just theater.

Comments are closed.