Heartland Payment Systems CSO Instills Culture That Promotes Proactive and Open Responsiveness to IT Security Risks
Heartland Payment Systems CSO Instills Culture ThatPromotes Proactive and Open Responsiveness to IT SecurityRisksTranscript of a BrieﬁngsDirect podcast on the need to recognize the inevitability of a securitythreat and devise ways to respond quickly and openly.Listen to the podcast. Find it on iTunes. Sponsor: HPDana Gardner: Hello, and welcome to the next edition of the HP Discover Performance Podcast Series. Im Dana Gardner, Principal Analyst at Interarbor Solutions, your moderator for this ongoing discussion of IT innovation and how it’s making an impact on people’s lives. Once again, were focusing on how IT leaders are improving performance of their services to deliver better experiences and payoffs for businesses and end- users alike. [Disclosure: HP is a sponsor of BrieﬁngsDirect podcasts.]Im now joined by our co-host for this sponsored podcast, Raf Los, who is the Chief SecurityEvangelist at HP Software. Welcome, Raf.Raf Los: Hey, Dana. Good to be back.Gardner: Where are you calling in from today?Los: Well, we are in beautiful Nashville, Tennessee, the birth place -- and currently on thebirthday -- of Mr. Jack Daniels.Gardner: Pretty good. We also have a fascinating show today, because we’re joined by a gentleman from Heartland Payment Systems, where theyre building better security as a culture into their operations and business strategy. With that, Id like to introduce our guest John South, Chief Security Ofﬁcer at Heartland Payment Systems, which is based in Princeton, New Jersey. Welcome John. John South: How are you doing, Dana?Gardner: Im doing great. Prior to joining Heartland in September of 2009, John held leadershiproles in information security at Convergys and in Alcatel-Lucent. He has also spent several yearsin Belgium and Paris, leading Alcatel European information security operations.Furthermore, John is an adjunct professor at the University of Dallas, where he teaches digitalforensics, and with Dr. John Nugent, he has co-founded the university’s Information AssuranceProgram. That program, incidentally, has been designated as a National Security Agency (NSA)Center for Excellence since it began in 2002.
Whats more, John has been an active member of the US Secret Service North Texas ElectronicCrimes Task Force since its inception in 2003. And hes the founding president of the FBI’sNorth Texas InfraGard Program.Lets talk a little bit about your tenure, John. Youve been at Heartland Payment Systems forseveral years now. You’re talking about changing culture and instilling security, but you got thereat a pretty tough time. Why dont you tell us a little about what was going on at Heartland whenyou arrived?South: Dana, certainly 2009, when I joined, was one of turmoil and anxiety, because they hadjust gone through a breach. The forensics had been completed. We understood how the breachhad taken place, and we entered a period of how to not only remediate and contain that andfuture breaches, but also how to make that security consistent and reliable in the future.Cultural problemIt was not only a technical problem, but it became very quickly a business and a cultural problem that we also had to solve. As we took the elements of the breach and broke it down, we were able to ﬁgure out technically the kinds of controls that we could put in place that would assist in shortening the gap between the time we would see a future breach and the time we were able to respond. More importantly, as you pointed out, it was developing that culture of security. Certainly, the people who made it through the breach understood the impact of the breach, but we wanted to make sure that we had sustainability built it into the process, so that people would continue to use security as the foundation.Whether they were developing programs, or whatever their aspect in their business, securitywould be the core of what they looked at, before they got too far into their projects. So, its beenan interesting couple of years for Heartland.Gardner: Just for background for our listeners, in early 2009, something on the order of 94million credit card records were stolen due to a SQL injection inserted into your data-processingnetwork. I’d also like to hear more about Heartland Payment Systems, again for those of ourlisteners who might not know. I believe you’re one of a handful of the largest credit cardprocessors in the U.S., if not the world.South: We are. Right now, we’re number six in the US, and with consolidation and other aspects,that number ﬂoats around a bit. Were basically the pipeline between merchants and the bankingsystem. We bring in payments from credit cards and debit cards. We handle payroll, micropayments and a number of other types of payroll channel or payment channels that we can thenmove from whatever that source, the merchant, to the appropriate bank that needs to handle thatpayment.
Its a very engaging process for us, because we’re dealing with card brands on one side, banks onanother, and the merchants and their customers. But the focus for Heartland has always been thatour merchants are number one for our company.Thats the approach we took to the breach itself, as you may know. We’ve been very open withthe way we work with our merchants. In fact, we established what we call The Merchants Bill ofRights. That was part of the culture, part of the way that our executive team thought all along.So, the way they handled the breach was just an extension of the way they always thought aboutour merchants and our customers themselves.Gardner: Raf Los, we’ve seen a variety of different ways companies have reacted to breaches ofthis magnitude, and even for things smaller and everything in between. Most of the time, thereaction is to put up more barriers, walls, or a perimeter, not only around the systems, but aroundthe discussion of what happens to their systems when security can become an issue. So, why isHeartland’s case different, and why do you think its interesting and perhaps beneﬁcial in howthey’ve handled it?Los: Dana, ﬁrst, there are two ways that you can take a monumental impact like this to yourbusiness. You can either be negative about it, and in some cases, try to minimize it, keep themedia from it, keep your customers from getting the full information, and try to sweep it underthe rug.In some cases, that even works. Maybe the world forgets about it, and you get a chance to moveon. But, thats one of those karmic things that comes back to bite you. I fully believe that.Phoenix transformationWhat Heartland did is the poster child for the phoenix transformation. John touched on an interesting point earlier. For them, it was a focus on the merchants, or their customers. The most important thing wasn’t the fact that they had a data breach, but it was the fact that a lot of their merchants were impacted. The people they did business with were impacted. Their reputation was impacted. Their executives took a stand and said, "Look, we can do this the easy way, try to get out of it and scoot, and pretend it didn’t happen. Or, we can take responsibility for it, step up, and take the big kick in the pants in the short run. But in the long term, well both earn the industry’s respect, the respect of ourcustomers, and come out of it with a transformation of the business into a culture where, fromthe people that lead the company down to the technologist, security is pervasive." Thats gutsy,and now we know that it works, because they did it.Gardner: Its my understanding that it only took them a couple of months after this breach toissue a statement about being in compliance with payment card industry data security standard(PCI DSS) and returning to Visas list of validated service providers. So you had a fairly quickresponse to the major issues.
Id like to hear more, John, about how the culture has changed since that time, so that othersmight learn from it, not only the openness beneﬁts, but how the culture of security itself haschanged?South: Dana, you made a very good point that going back to becoming compliant under the eyesof PCI and the card brands took six weeks. I have to plug the guys in the company for this,because that was six weeks of some people working 20-22 hours a day to bring that about.There was a huge effort, because it was important for us and important for our customers to beable to have the reliance that we could stem this thing quickly. So, there was a lot of work in thatperiod of time to bring that together.That also helped build that culture that we’re talking about. If you look at the two parameters thatRaf had put out there, one being we could have obfuscated, just hid the fact, tried to run from thepress, and been very evasive in our wording. That may have worked. And it may not haveworked. But, for us, it wasn’t an option, and it wasn’t an option at all in the process.For us, it was part of the executive culture to be very open and the people who participated in thebreach understood that. They knew the risk and they knew that it was a time of great distress forthem to be able to handle the breach and handle the pressure of having been breached.What that did for our customers is build a strong reliance upon the fact that we took this veryseriously. If we had taken this as “lets hide the fact, lets go ahead and ﬁx the problem and seewhat we can get away with,” it would have been the wrong message to carry to our people tobegin with. It would have said to our people that its okay if we go ahead and ﬁx the problem, butits just a ﬁx. Fix it and walk away from it.For us, it became more that this is something we need to take responsibility for. We took thatresponsibility. As we say, we put on the big-boy pants, and even though we had the ﬁnancial hitin the short run, the beneﬁts have been wonderful from there. For instance, during the course ofthe breach, our attrition was very, very low. Our customers realized by our being that open thatwe were seriously involved in that process.Honesty and opennessLos: John, that speaks perfectly to the fact that honesty and openness in the face of a failurelike that, a big issue, is the thing to do. If I found that something like that happened and the ﬁrstthing you told me was, "Its no big deal. Don’t worry about it," Id get suspicious. But if you toldme, "Look, we screwed up. This is our fault. Were working to make it better. Give us some time,and it will be better," as a customer, Im absolutely more apt to give you that beneﬁt of the doubt.In fact, if you deliver on that promise long-term, now you’ve got a really good relationship. Ihope by now weve realized, most people have realized, that security is never going to reach thatmagical utopian end state. There is no secure.
We provide the best effort to the alignment of the business and sometimes, yes, bad thingshappen. Its the response and recovery that’s absolutely critical. I dont want to beat a dead horse,but you guys did a fantastic job there.South: Thank you, Raf, and you hit a really important point. Security is not that magic pill. Wecant just wave a security wand and keep people out of our networks. If someone is motivatedenough to get into your network, theyre going to get into your network. They have the resources,the time, the money, and, in many cases, nation-state protection.So they have the advantage in almost every case. This goes back into the concept of asymmetricwarfare, where the enemy has a great deal more power to execute their mission than you mayhave to defend against it. For us, its a message that we have to carry forward to our people andto our customers -- that our effort is to try to minimize the time from when we see an attempt at acompromise to the time we can react to it.Los: I took that note earlier, because you said that a couple times now and Im intrigued by"mean time to discovery" (MTTD). I think that’s very meaningful, and I don’t know how manyorganizations really and truly know what their MTTD is, whether its in applications, and howlong it takes to ﬁnd a bug now in the wild, once it’s made it past your relief cycle, or how long ittakes to discover an intrusion.Thats extremely important, because it speaks to the active defenses and the way we monitor andaudit, because audit isnt just a dirty word that says somebody walks through, checks a couple ofboxes, and walks out.I mean audit in the true sense. Someone goes through and looks at systems, does some criticalthinking, and does some deep analysis. Because, at the end of the day, John, I think will probablybe the ﬁrst to say this, systems have gotten so complex right now to maintain. Real control onthis kind of sprawl is virtually impossible. Forget how much budget you can have. Forget howmany staff you can hire. Its just not possible with the way the business moves and the waytechnology speeds along.The rational way to look at that is to have a team that, every so often, takes a look at a system,looking to fully audit on this. Lets ﬁgure out whats going, whats really going on, in thisplatform.South: That’s one of the cultural changes that weve made in the company. I have the internal ITaudit function also, which is very nontraditional for a company to do. A lot of times, the auditfunction is buried up in an internal audit group that is external to the operation. That makes it amore difﬁcult for them to do a truly effective audit of IT security.Separate and independentI have an audit group that stands separate and independent of IT, but yet is close enough withIT that we can go in and effectively conduct the audits. We do a large number of them a year.
Whats important about that audit function and what positively inﬂuences the effectiveness of anaudit is that you go into the meeting with, say, a technical group or a development group that youwant to audit, with a positive, reinforcing attitude -- an attitude of not only ﬁnding the issues, butalso of a willingness to help the group work out its solutions. If you go into the audit with theattitude that “I am the auditor. Im here to see what you are doing,” youre going to evoke anegative reaction. Los: Its adversarial.South: Its adversarial. My auditors go in with a completely different attitude. "Im here to helpyou understand where your risks are." That whole concept of both moving from an adversarial toa proactive response to auditing, as well as having a very proactive engagement with security, iswhats really made a big cultural shift in our company.Los: Yeah, that’s fantastic. That’s the way to put it.Gardner: In listening to you both, I am hearing shifts in perceptions that are having verypowerful impacts on your businesses and perhaps the industry. First, of course, was to recognizethat being open about a security breach allows you to deal with it more directly.Even on a personal psychology level, if you have secrets in a family setting, its hard to addressthem. The same thing probably pertains to security. Changing that perception of this as beingopen allows you to address it more directly.Then, its also looking at that MTTD, recognizing that youre not necessarily going to preventtypes of intrusions that can be damaging. The sooner you know about them, the more you cancontain them and limit the damage. Theres also the shift in perception more toward directness ofbeing real about what the risks are.Lastly, theres the shift in perception about moving from an adversarial position on what yourweaknesses are to looking at that as the very fundamental step to remediation and getting to thatlevel of containment. It all sounds very powerful.Help me better understand how we get companies, for those who are listening, to shiftperceptions about security.South: That’s always a strong question that has to be put to your executive team. How do weshift the understanding and the culture of security? In our case, our executive team realized thatone of the fundamental things that was important for security of our company as a whole wasthat security had to be baked into everything that we did.So weve taken that shift. The message that I take out to my people, and certainly to the peoplewho are listening to this podcast, is that when you want to improve that security culture, makesecurity the core of everything that takes place in a company. So whether youre developing anapplication or working in HR, whether youre the receptionist, it doesnt matter. Security has tobe the central principle around which everything is built.
Core principleIf you make security the adjunct to your operation, like many companies do, where security isburied several layers down in the IT department, then you dont have the capability of making itthe fundamental and core principle of your company. Again, it doesnt matter who you are in acompany, you have some aspect of security that is important to the company itself.For us, the message that were trying to get out to people is to wrap everything you do around thesecurity core. This is really big, particularly in the application world. If you look at many othertraditional ways that people do application development, theyll develop a certain amount of thecode and then theyll say, "Okay, security, go check it."And of course, security runs their static and dynamic code analysis and they come back with along list of things that need to be ﬁxed, and then that little adversarial relationship starts todevelop.Los: John, as youre talking about this, I think back. Everybodys been there in their career andmade mistakes. Ill readily admit that this is exactly what I was doing about 12 or 13 years ago inmy software security role.I was a security analyst. The application would be ready to go live. Id run a scan, do a little bit oftesting and some analysis on it, and generate a massive PDF report. Now you either walk it overto somebody’s cube, drop it off, walk away, and tell them to go ﬁx their stuff, or I email it, orvirtually lob it over the wall.There was no relationship. Its like, "I cant believe youre making these mistakes over and over.Now go ﬁx these things.” Theyd give me that “I am so confused. I don’t know what youretalking about look." Does it ever get ﬁxed? Of course, not.South: And, Raf, the days of ﬁnishing a project on Thursday, turning it over to security, saying,"This is going live on Friday," are long gone. If youre still doing that, youre putting yourcompany at risk.Los: Agreed.Gardner: Perhaps, Raf, for those of us who are in the social media space, where were doingobservations and were being evangelists, that there is a necessary shift, too, on how we react tothese security breaches in the media.Rather than have a scoreboard about who screwed up, perhaps its a better approach to say whotook what problems they had and found a quick ﬁx and limited the damage best. Is there a needfor a perception shift in terms of how security issues in IT and in business in general are reportedon and exposed?
Los: I absolutely believe that rather than a shamed look, its always better to lead by example,and hold those who do a good job in higher esteem, because then people will want to aspire to bebetter. I fundamentally believe that human beings want to be better. Its just we don’t always havethe right motivations. And if your motivation is, "I don’t want to be on that crap list," for lack ofa better term, or "I don’t want to be on that worst list," then youll do the bare minimum to not beon that worst list.People will respondIf theres a list of top performing security companies or top performing companies that have thebest security culture, whatever you want to call it, however you want to call that out, I ﬁrmlybelieve people will respond. By nature, people and companies are competitive.What if we had an industry banquet and we invited everybody from all the heads of differentindustries and said, "Nominees for best security in an industry are, ﬁnance, health care,whatever?" It would be a show like that, or something.It wouldnt have to be glitzy, but if we had some way of demonstrating to people that yourcustomers in the world genuinely care about you doing a good job -- here are the people whoreally do a good job; lets hold them up at high esteem rather than shame the bad ones -- I thinkpeople will aspire to be better. This is always going to work going forward. The other way justhasn’t worked. I don’t see anything changing.South: I think thats the right direction, Raf. We still have some effort to go in that direction. Iknow of one very, very large company, and one of their competitors had been breached justrecently. So I called a contact I had in their security group and passed on the malware. I said youmight want to check to see if this is in your organization.He said, thanks and I called him up a couple of days later and I asked, "How did it go?" He said,"Upper management kind of panicked for a little bit, but I think everything settled down now."This was code for "they didnt do much."We have some progress still to make in that direction, but I think youre absolutely correct thatthe more these people see successful examples of how you can deal with security issues, themore its going to drive that cultural change for them. Too often they see the reverse of that andthey say, "Thank God that wasn’t us."Gardner: We need to start to close out, but another interesting issue here is that you cant look atjust technology without considering the culture, and you cant consider the culture without theissues around the technology.Whats changing on the technology side that either of you think will lead to perhaps animprovement on the culture? Is there something that comes together between whats new andinteresting about the technologies that are being deployed to improve posture around security
and that might aid and abet this movement toward openness and the ability to be direct, andtherefore more effective in security challenges?Los: Were looking at each other for a good answer to that, but one of the keys is the pace ofchange in technology. That technology, for a number years, in our personal lives, used to leadtechnology in the business world.So a laptop or desktop you had at home was usually in the order of magnitude greater than whatwas sitting on your desktop at the ofﬁce and your corporate phone would be an ancientclamshell, while you have your smartphone in your pocket for home use.Fewer devicesWhats starting to happen is people are getting annoyed with that, and they want to carry fewerdevices. They want to be able to interact more and organizations want maximum productivity.So those worlds are colliding, and technology adoption is starting to become the big key inorganizations to ﬁgure out what the direction is going to be like, what is the technology trendgoing to be. Then, how do we adapt to it and then how do we apply technology as a measure ofcontrol to make that workable? So understand technology, understand direction, apply policy, usetechnology to enforce that policy.South: And its ﬁnding what elements of technology are relevant to what youre doing. You see alarge push today on bring your own device (BYOD), and the technologies that are making almosta commodity of the ability to handle information inside your company.The biggest challenge that we are facing today is being able to make relevant technologydecisions, as well as to effectively apply that new technology to our organizations. Its verysimple, for instance, put a product like an iPad onto your network and start using it, but is iteffectively protected and have you thought about all of the risks and how to manage those risksby putting that device out there?Technology is advancing, as it always does, at a very high clip, and business has to take a moremeasured response to that, but yet be able to effectively provide something for its employees, aswell its costumers, to be able to take advantage of the new technologies in todays world.Thats what youre seeing a lot in our customer base and the payments space in mobiletechnologies, because thats the direction that a lot of the payment streams are going to go in thefuture, whether it be contact or contactless Europay, Mastercard, and Visa (EMV) cards orphones that have near ﬁeld communication (NFC) on them. Whatever that direction might be,you need to be responsive enough to be able to be in that market.As you said, its technology that’s driving something of the business itself, as well as the businessand the culture in the company being able to ﬁnd ways to effectively use that technology.
Los: Its kind of funny, because just as every technology is innovative, it helps us, whether itsperform commerce faster, be safer, do something better. Every one of those comes with risk,whether its NFC, web applications, mobile, card, whether its whatever you name today. Thereare limitations in security types of issues with everything, and it comes down to what werewilling to deal with, what controls can we put around it to mitigate it, and whats the outcome atthe end of the day.South: Exactly. And if things go wrong.Los: Then what?South: How do we detect it, how do we resolve, how do we contain it, and how do we respondto it?Los: Yup.Gardner: Maybe even better than saying if things go wrong, have the attitude of when they gowrong.Los: Absolutely.South: That has to be your attitude today, because its no longer a question of if I put the righttrenches and walls in place, can I hold these guys off, because even if I didn’t have a connectionto the Internet, people can still get to my information and take it away. It has to be an attitude ofwell work from the assumption of breach and build our defenses from there. So it goes back toRaf’s concept of MTTD, which of course assumes that you have detected it.Los: Right, that it is an assumption.South: And measure it from there, but that’s the only approach you can take, because if peopletake an approach that I can keep it away from me, we call those people targets.Gardner: Im afraid we will have to leave it there. Please me join me in thanking our co-host,Raf Los. He is the Chief Security Evangelist at HP Software. Thank you so much, Raf.Los: It’s always a pleasure to be here.Gardner: Id like also like to thank our supporter for this series, HP Software and remind ouraudience to carry on the dialog with Raf on his own blog and through the Discover PerformanceGroup on LinkedIn.Ill also like to extend a huge thank you to our special guest, John South, Chief Security Ofﬁcerat a Heartland Payment Systems. Thank you, sir.South: Thank you, Dana. I appreciate it.Gardner: And you can gain more insights and information on the best of IT PerformanceManagement at http://www.hp.com/go/discoverperformance.
And you can also always access this and other episodes in our HP Discover Performance PodcastSeries on iTunes under BrieﬁngsDirect.Im Dana Gardner, Principal Analyst at Interarbor Solutions, your co-host and moderator for thisongoing discussion of IT innovation and how it’s making an impact on people’s lives. Thanksagain for listening, and come back next time.Listen to the podcast. Find it on iTunes. Sponsor: HPTranscript of a BriefingsDirect podcast on the need to recognize the inevitability of a securitythreat and devise ways to respond quickly and openly. Copyright Interarbor Solutions, LLC,2005-2012. All rights reserved.You may also be interested in: • Security Ofﬁcer Sees Rapid Detection and Containment as New Best IT Security Postures for Entperprises • Investing Well in IT With Emphasis on KPIs Separates Business Leaders from Business Laggards, Survey Results Show • Expert Chat with HP on How Better Understanding Security Makes it an Enabler, Rather than Inhibitor, of Cloud Adoption • Expert Chat with HP on How IT Can Enable Cloud While Maintaining Control and Governance • Expert Chat on How HP Ecosystem Provides Holistic Support for VMware Virtualized IT Environments