How Financial Firms Blaze a Trail To New, More Predictive Operational Resilie...Dana Gardner
A transcript of a discussion on new ways that businesses in the financial sector are avoiding and mitigating the damage from today’s myriad business threats.
The Path to a Digital-First Enterprise Is Paved with an Emergence Model And D...Dana Gardner
Transcript of a discussion on how open standards help support a playbook approach for organizations to improve and accelerate their digital transformation.
How HPE ‘Moments’ Provide A Proven Critical Approach To Digital Business Tra...Dana Gardner
Transcript of a discussion with HPE Pointnext Services experts as they detail a multi-step series of “Moments” that guide organizations on their transformations.
How Modern Operational Services Leads to More Self-Managing, Self-Healing, an...Dana Gardner
A discussion on how Hewlett Packard Enterprise Pointnext Services is reinventing the experience of IT support to increasingly rely on automation, analytics, and agility.
We looked at the data. Here’s a breakdown of some key statistics about the nation’s incoming presidents’ addresses, how long they spoke, how well, and more.
The document discusses how startup entrepreneurs think and operate. It notes that startups like Airbnb and Uber were started due to identifying shortages or problems. It emphasizes that startups focus on providing customer benefit, eliminating waste, and creating value. It also highlights that startups operate with speed, embracing failure fast and pivoting quickly, with transparency and by breaking rules. Startups succeed by moving rapidly, with minimal processes and instead prioritizing speed above all else.
This document discusses how emojis, emoticons, and text speak can be used to teach students. It provides background on the origins of emoticons in 1982 as ways to convey tone and feelings in text communications. It then suggests that with text speak and emojis, students can translate, decode, summarize, play with language, and add emotion to language. A number of websites and apps that can be used for emoji-related activities, lessons, and discussions are also listed.
Artificial intelligence (AI) is everywhere, promising self-driving cars, medical breakthroughs, and new ways of working. But how do you separate hype from reality? How can your company apply AI to solve real business problems?
Here’s what AI learnings your business should keep in mind for 2017.
How Financial Firms Blaze a Trail To New, More Predictive Operational Resilie...Dana Gardner
A transcript of a discussion on new ways that businesses in the financial sector are avoiding and mitigating the damage from today’s myriad business threats.
The Path to a Digital-First Enterprise Is Paved with an Emergence Model And D...Dana Gardner
Transcript of a discussion on how open standards help support a playbook approach for organizations to improve and accelerate their digital transformation.
How HPE ‘Moments’ Provide A Proven Critical Approach To Digital Business Tra...Dana Gardner
Transcript of a discussion with HPE Pointnext Services experts as they detail a multi-step series of “Moments” that guide organizations on their transformations.
How Modern Operational Services Leads to More Self-Managing, Self-Healing, an...Dana Gardner
A discussion on how Hewlett Packard Enterprise Pointnext Services is reinventing the experience of IT support to increasingly rely on automation, analytics, and agility.
We looked at the data. Here’s a breakdown of some key statistics about the nation’s incoming presidents’ addresses, how long they spoke, how well, and more.
The document discusses how startup entrepreneurs think and operate. It notes that startups like Airbnb and Uber were started due to identifying shortages or problems. It emphasizes that startups focus on providing customer benefit, eliminating waste, and creating value. It also highlights that startups operate with speed, embracing failure fast and pivoting quickly, with transparency and by breaking rules. Startups succeed by moving rapidly, with minimal processes and instead prioritizing speed above all else.
This document discusses how emojis, emoticons, and text speak can be used to teach students. It provides background on the origins of emoticons in 1982 as ways to convey tone and feelings in text communications. It then suggests that with text speak and emojis, students can translate, decode, summarize, play with language, and add emotion to language. A number of websites and apps that can be used for emoji-related activities, lessons, and discussions are also listed.
Artificial intelligence (AI) is everywhere, promising self-driving cars, medical breakthroughs, and new ways of working. But how do you separate hype from reality? How can your company apply AI to solve real business problems?
Here’s what AI learnings your business should keep in mind for 2017.
Liberty Mutual Insurance Melds Regulatory Compliance with Security Awareness ...Dana Gardner
Transcript of a BriefingsDirect podcast on how Liberty Mutual Insurance has adopted a new, heightened security posture that permeates the development process.
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...Dana Gardner
This podcast discusses how Lake Health, a regional healthcare provider in Ohio, has matured its approach to information security. The Information Security Officer, Keith Duemling, explains that Lake Health initially took a technology-focused approach but has since transitioned to viewing security through the lens of information assurance and quality assurance. The goal is to ensure the integrity of patient information and protect availability so clinicians have accurate data to make care decisions. Duemling discusses how taking a holistic risk-based approach helps Lake Health address compliance requirements and be proactive on regulatory elements. The conversation explores the challenges of balancing security needs for a mid-sized organization and how automation can help a small team manage visibility and response.
Gaining Digital Business Strategic View Across More Data Gives AmeriPride Cul...Dana Gardner
Transcript of a discussion on how improved data allows for more types of work in an improved organization to become even more intelligent, and to find new efficiencies and benefits.
Industry Moves to Fill Gap for Building Trusted Supply Chain Technology Accre...Dana Gardner
The document discusses the importance of establishing standards for security and reliability in technology supply chains. The Open Group Trusted Technology Forum is developing an accreditation process to help buyers ensure technology providers adhere to best practices. Panelists at a conference discussed progress made in developing the standards and accreditation program, with a draft specification expected soon. The goal is to provide confidence to technology buyers that accredited providers have secure engineering and supply chain practices.
How Dashboard Analytics Bolster Security and Risk Management Across IT Supply...Dana Gardner
Transcript of a discussion on how Bruce Auto Group gained deep insights into their systems, apps, and data to manage and reduce risks across their entire IT and services supply chain.
The Open Group July Conference Emphasizes Value of Placing Structure and Agil...Dana Gardner
Transcript of a BriefingsDirect podcast about the how to achieve better risk management with better analysis of risk factors and presenting that in dollars-and-cents terms.
Brunswick Intelligence - Building reputational resilience to cyber attackBrunswick Group
Cybersecurity is a business critical risk not just an IT issue. The reputational damage of a cyber breach is often less than the technical damage inflicted, the money lost, or the regulatory fines. With new threats proliferating at startling speed how companies respond to an attack can be more important than the attack itself. The good news is that companies can seize this challenge to differentiate themselves from the competition and earn a greater level of trust from stakeholders.
Learn more about the four steps companies can take to build their reputational resilience to cyber attack.
How Data Loss Prevention End-Point Agents Use HPE IDOL’s Comprehensive Data C...Dana Gardner
Transcript of a discussion on how cybersecurity attacks are on the rise but new capabilities are being brought to the edge to provide for better data loss prevention.
The Open Group Trusted Technology Forum Leading the Way in Securing Global Su...Dana Gardner
Transcript of a BriefingsDirect podcast focusing on the upcoming Open Group Conference and the effort to develop standards to make supply chains secure, verified, and trusted.
The document discusses how the web is affecting businesses. It covers major trends like participation and user-generated innovation. It discusses how social media is changing how customers behave and how businesses create value. Companies need to think about becoming media companies that provide constant content to users. The customer decision journey is now more complex, as customers research companies online at every moment. Everything a company does now contributes to its marketing and brand.
In This Issue:
1. Your #1 MUST-DO Resolution For 2017
2. Free Report: What Every Small Business Owner Must Know About Protecting And Preserving their Company’s Critical Data And Computer Systems
3. 3 Ways Smart People Blow The Close
4. STAYING ON TOP
Digital Marketing Trends in 2024 | Guide for Staying AheadWask
https://www.wask.co/ebooks/digital-marketing-trends-in-2024
Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.
Liberty Mutual Insurance Melds Regulatory Compliance with Security Awareness ...Dana Gardner
Transcript of a BriefingsDirect podcast on how Liberty Mutual Insurance has adopted a new, heightened security posture that permeates the development process.
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...Dana Gardner
This podcast discusses how Lake Health, a regional healthcare provider in Ohio, has matured its approach to information security. The Information Security Officer, Keith Duemling, explains that Lake Health initially took a technology-focused approach but has since transitioned to viewing security through the lens of information assurance and quality assurance. The goal is to ensure the integrity of patient information and protect availability so clinicians have accurate data to make care decisions. Duemling discusses how taking a holistic risk-based approach helps Lake Health address compliance requirements and be proactive on regulatory elements. The conversation explores the challenges of balancing security needs for a mid-sized organization and how automation can help a small team manage visibility and response.
Gaining Digital Business Strategic View Across More Data Gives AmeriPride Cul...Dana Gardner
Transcript of a discussion on how improved data allows for more types of work in an improved organization to become even more intelligent, and to find new efficiencies and benefits.
Industry Moves to Fill Gap for Building Trusted Supply Chain Technology Accre...Dana Gardner
The document discusses the importance of establishing standards for security and reliability in technology supply chains. The Open Group Trusted Technology Forum is developing an accreditation process to help buyers ensure technology providers adhere to best practices. Panelists at a conference discussed progress made in developing the standards and accreditation program, with a draft specification expected soon. The goal is to provide confidence to technology buyers that accredited providers have secure engineering and supply chain practices.
How Dashboard Analytics Bolster Security and Risk Management Across IT Supply...Dana Gardner
Transcript of a discussion on how Bruce Auto Group gained deep insights into their systems, apps, and data to manage and reduce risks across their entire IT and services supply chain.
The Open Group July Conference Emphasizes Value of Placing Structure and Agil...Dana Gardner
Transcript of a BriefingsDirect podcast about the how to achieve better risk management with better analysis of risk factors and presenting that in dollars-and-cents terms.
Brunswick Intelligence - Building reputational resilience to cyber attackBrunswick Group
Cybersecurity is a business critical risk not just an IT issue. The reputational damage of a cyber breach is often less than the technical damage inflicted, the money lost, or the regulatory fines. With new threats proliferating at startling speed how companies respond to an attack can be more important than the attack itself. The good news is that companies can seize this challenge to differentiate themselves from the competition and earn a greater level of trust from stakeholders.
Learn more about the four steps companies can take to build their reputational resilience to cyber attack.
How Data Loss Prevention End-Point Agents Use HPE IDOL’s Comprehensive Data C...Dana Gardner
Transcript of a discussion on how cybersecurity attacks are on the rise but new capabilities are being brought to the edge to provide for better data loss prevention.
The Open Group Trusted Technology Forum Leading the Way in Securing Global Su...Dana Gardner
Transcript of a BriefingsDirect podcast focusing on the upcoming Open Group Conference and the effort to develop standards to make supply chains secure, verified, and trusted.
The document discusses how the web is affecting businesses. It covers major trends like participation and user-generated innovation. It discusses how social media is changing how customers behave and how businesses create value. Companies need to think about becoming media companies that provide constant content to users. The customer decision journey is now more complex, as customers research companies online at every moment. Everything a company does now contributes to its marketing and brand.
In This Issue:
1. Your #1 MUST-DO Resolution For 2017
2. Free Report: What Every Small Business Owner Must Know About Protecting And Preserving their Company’s Critical Data And Computer Systems
3. 3 Ways Smart People Blow The Close
4. STAYING ON TOP
Similar to Heartland Payment Systems CSO Instills Culture That Promotes Proactive and Open Responsiveness to IT Security Risks (20)
Digital Marketing Trends in 2024 | Guide for Staying AheadWask
https://www.wask.co/ebooks/digital-marketing-trends-in-2024
Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on automated letter generation for Bonterra Impact Management using Google Workspace or Microsoft 365.
Interested in deploying letter generation automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on integration of Salesforce with Bonterra Impact Management.
Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
Heartland Payment Systems CSO Instills Culture That Promotes Proactive and Open Responsiveness to IT Security Risks
1. Heartland Payment Systems CSO Instills Culture That
Promotes Proactive and Open Responsiveness to IT Security
Risks
Transcript of a BriefingsDirect podcast on the need to recognize the inevitability of a security
threat and devise ways to respond quickly and openly.
Listen to the podcast. Find it on iTunes. Sponsor: HP
Dana Gardner: Hello, and welcome to the next edition of the HP Discover Performance
Podcast Series. I'm Dana Gardner, Principal Analyst at Interarbor Solutions,
your moderator for this ongoing discussion of IT innovation and how it’s
making an impact on people’s lives.
Once again, we're focusing on how IT leaders are improving performance of
their services to deliver better experiences and payoffs for businesses and end-
users alike. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]
I'm now joined by our co-host for this sponsored podcast, Raf Los, who is the Chief Security
Evangelist at HP Software. Welcome, Raf.
Raf Los: Hey, Dana. Good to be back.
Gardner: Where are you calling in from today?
Los: Well, we are in beautiful Nashville, Tennessee, the birth place -- and currently on the
birthday -- of Mr. Jack Daniels.
Gardner: Pretty good. We also have a fascinating show today, because we’re joined by a
gentleman from Heartland Payment Systems, where they're building better security as a
culture into their operations and business strategy. With that, I'd like to introduce our
guest John South, Chief Security Officer at Heartland Payment Systems, which is
based in Princeton, New Jersey. Welcome John.
John South: How are you doing, Dana?
Gardner: I'm doing great. Prior to joining Heartland in September of 2009, John held leadership
roles in information security at Convergys and in Alcatel-Lucent. He has also spent several years
in Belgium and Paris, leading Alcatel European information security operations.
Furthermore, John is an adjunct professor at the University of Dallas, where he teaches digital
forensics, and with Dr. John Nugent, he has co-founded the university’s Information Assurance
Program. That program, incidentally, has been designated as a National Security Agency (NSA)
Center for Excellence since it began in 2002.
2. What's more, John has been an active member of the US Secret Service North Texas Electronic
Crimes Task Force since its inception in 2003. And he's the founding president of the FBI’s
North Texas InfraGard Program.
Let's talk a little bit about your tenure, John. You've been at Heartland Payment Systems for
several years now. You’re talking about changing culture and instilling security, but you got there
at a pretty tough time. Why don't you tell us a little about what was going on at Heartland when
you arrived?
South: Dana, certainly 2009, when I joined, was one of turmoil and anxiety, because they had
just gone through a breach. The forensics had been completed. We understood how the breach
had taken place, and we entered a period of how to not only remediate and contain that and
future breaches, but also how to make that security consistent and reliable in the future.
Cultural problem
It was not only a technical problem, but it became very quickly a business and a cultural
problem that we also had to solve. As we took the elements of the breach and
broke it down, we were able to figure out technically the kinds of controls that
we could put in place that would assist in shortening the gap between the time
we would see a future breach and the time we were able to respond.
More importantly, as you pointed out, it was developing that culture of security.
Certainly, the people who made it through the breach understood the impact of
the breach, but we wanted to make sure that we had sustainability built it into
the process, so that people would continue to use security as the foundation.
Whether they were developing programs, or whatever their aspect in their business, security
would be the core of what they looked at, before they got too far into their projects. So, it's been
an interesting couple of years for Heartland.
Gardner: Just for background for our listeners, in early 2009, something on the order of 94
million credit card records were stolen due to a SQL injection inserted into your data-processing
network. I’d also like to hear more about Heartland Payment Systems, again for those of our
listeners who might not know. I believe you’re one of a handful of the largest credit card
processors in the U.S., if not the world.
South: We are. Right now, we’re number six in the US, and with consolidation and other aspects,
that number floats around a bit. We're basically the pipeline between merchants and the banking
system. We bring in payments from credit cards and debit cards. We handle payroll, micro
payments and a number of other types of payroll channel or payment channels that we can then
move from whatever that source, the merchant, to the appropriate bank that needs to handle that
payment.
3. It's a very engaging process for us, because we’re dealing with card brands on one side, banks on
another, and the merchants and their customers. But the focus for Heartland has always been that
our merchants are number one for our company.
That's the approach we took to the breach itself, as you may know. We’ve been very open with
the way we work with our merchants. In fact, we established what we call The Merchants Bill of
Rights. That was part of the culture, part of the way that our executive team thought all along.
So, the way they handled the breach was just an extension of the way they always thought about
our merchants and our customers themselves.
Gardner: Raf Los, we’ve seen a variety of different ways companies have reacted to breaches of
this magnitude, and even for things smaller and everything in between. Most of the time, the
reaction is to put up more barriers, walls, or a perimeter, not only around the systems, but around
the discussion of what happens to their systems when security can become an issue. So, why is
Heartland’s case different, and why do you think it's interesting and perhaps beneficial in how
they’ve handled it?
Los: Dana, first, there are two ways that you can take a monumental impact like this to your
business. You can either be negative about it, and in some cases, try to minimize it, keep the
media from it, keep your customers from getting the full information, and try to sweep it under
the rug.
In some cases, that even works. Maybe the world forgets about it, and you get a chance to move
on. But, that's one of those karmic things that comes back to bite you. I fully believe that.
Phoenix transformation
What Heartland did is the poster child for the phoenix transformation. John touched on an
interesting point earlier. For them, it was a focus on the merchants, or their
customers. The most important thing wasn’t the fact that they had a data breach,
but it was the fact that a lot of their merchants were impacted. The people they
did business with were impacted. Their reputation was impacted.
Their executives took a stand and said, "Look, we can do this the easy way, try
to get out of it and scoot, and pretend it didn’t happen. Or, we can take
responsibility for it, step up, and take the big kick in the pants in the short run.
But in the long term, we'll both earn the industry’s respect, the respect of our
customers, and come out of it with a transformation of the business into a culture where, from
the people that lead the company down to the technologist, security is pervasive." That's gutsy,
and now we know that it works, because they did it.
Gardner: It's my understanding that it only took them a couple of months after this breach to
issue a statement about being in compliance with payment card industry data security standard
(PCI DSS) and returning to Visa's list of validated service providers. So you had a fairly quick
response to the major issues.
4. I'd like to hear more, John, about how the culture has changed since that time, so that others
might learn from it, not only the openness benefits, but how the culture of security itself has
changed?
South: Dana, you made a very good point that going back to becoming compliant under the eyes
of PCI and the card brands took six weeks. I have to plug the guys in the company for this,
because that was six weeks of some people working 20-22 hours a day to bring that about.
There was a huge effort, because it was important for us and important for our customers to be
able to have the reliance that we could stem this thing quickly. So, there was a lot of work in that
period of time to bring that together.
That also helped build that culture that we’re talking about. If you look at the two parameters that
Raf had put out there, one being we could have obfuscated, just hid the fact, tried to run from the
press, and been very evasive in our wording. That may have worked. And it may not have
worked. But, for us, it wasn’t an option, and it wasn’t an option at all in the process.
For us, it was part of the executive culture to be very open and the people who participated in the
breach understood that. They knew the risk and they knew that it was a time of great distress for
them to be able to handle the breach and handle the pressure of having been breached.
What that did for our customers is build a strong reliance upon the fact that we took this very
seriously. If we had taken this as “let's hide the fact, let's go ahead and fix the problem and see
what we can get away with,” it would have been the wrong message to carry to our people to
begin with. It would have said to our people that it's okay if we go ahead and fix the problem, but
it's just a fix. Fix it and walk away from it.
For us, it became more that this is something we need to take responsibility for. We took that
responsibility. As we say, we put on the big-boy pants, and even though we had the financial hit
in the short run, the benefits have been wonderful from there. For instance, during the course of
the breach, our attrition was very, very low. Our customers realized by our being that open that
we were seriously involved in that process.
Honesty and openness
Los: John, that speaks perfectly to the fact that honesty and openness in the face of a failure
like that, a big issue, is the thing to do. If I found that something like that happened and the first
thing you told me was, "It's no big deal. Don’t worry about it," I'd get suspicious. But if you told
me, "Look, we screwed up. This is our fault. We're working to make it better. Give us some time,
and it will be better," as a customer, I'm absolutely more apt to give you that benefit of the doubt.
In fact, if you deliver on that promise long-term, now you’ve got a really good relationship. I
hope by now we've realized, most people have realized, that security is never going to reach that
magical utopian end state. There is no secure.
5. We provide the best effort to the alignment of the business and sometimes, yes, bad things
happen. It's the response and recovery that’s absolutely critical. I don't want to beat a dead horse,
but you guys did a fantastic job there.
South: Thank you, Raf, and you hit a really important point. Security is not that magic pill. We
can't just wave a security wand and keep people out of our networks. If someone is motivated
enough to get into your network, they're going to get into your network. They have the resources,
the time, the money, and, in many cases, nation-state protection.
So they have the advantage in almost every case. This goes back into the concept of asymmetric
warfare, where the enemy has a great deal more power to execute their mission than you may
have to defend against it. For us, it's a message that we have to carry forward to our people and
to our customers -- that our effort is to try to minimize the time from when we see an attempt at a
compromise to the time we can react to it.
Los: I took that note earlier, because you said that a couple times now and I'm intrigued by
"mean time to discovery" (MTTD). I think that’s very meaningful, and I don’t know how many
organizations really and truly know what their MTTD is, whether it's in applications, and how
long it takes to find a bug now in the wild, once it’s made it past your relief cycle, or how long it
takes to discover an intrusion.
That's extremely important, because it speaks to the active defenses and the way we monitor and
audit, because audit isn't just a dirty word that says somebody walks through, checks a couple of
boxes, and walks out.
I mean audit in the true sense. Someone goes through and looks at systems, does some critical
thinking, and does some deep analysis. Because, at the end of the day, John, I think will probably
be the first to say this, systems have gotten so complex right now to maintain. Real control on
this kind of sprawl is virtually impossible. Forget how much budget you can have. Forget how
many staff you can hire. It's just not possible with the way the business moves and the way
technology speeds along.
The rational way to look at that is to have a team that, every so often, takes a look at a system,
looking to fully audit on this. Let's figure out what's going, what's really going on, in this
platform.
South: That’s one of the cultural changes that we've made in the company. I have the internal IT
audit function also, which is very nontraditional for a company to do. A lot of times, the audit
function is buried up in an internal audit group that is external to the operation. That makes it a
more difficult for them to do a truly effective audit of IT security.
Separate and independent
I have an audit group that stands separate and independent of IT, but yet is close enough with
IT that we can go in and effectively conduct the audits. We do a large number of them a year.
6. What's important about that audit function and what positively influences the effectiveness of an
audit is that you go into the meeting with, say, a technical group or a development group that you
want to audit, with a positive, reinforcing attitude -- an attitude of not only finding the issues, but
also of a willingness to help the group work out its solutions. If you go into the audit with the
attitude that “I am the auditor. I'm here to see what you are doing,” you're going to evoke a
negative reaction.
Los: It's adversarial.
South: It's adversarial. My auditors go in with a completely different attitude. "I'm here to help
you understand where your risks are." That whole concept of both moving from an adversarial to
a proactive response to auditing, as well as having a very proactive engagement with security, is
what's really made a big cultural shift in our company.
Los: Yeah, that’s fantastic. That’s the way to put it.
Gardner: In listening to you both, I am hearing shifts in perceptions that are having very
powerful impacts on your businesses and perhaps the industry. First, of course, was to recognize
that being open about a security breach allows you to deal with it more directly.
Even on a personal psychology level, if you have secrets in a family setting, it's hard to address
them. The same thing probably pertains to security. Changing that perception of this as being
open allows you to address it more directly.
Then, it's also looking at that MTTD, recognizing that you're not necessarily going to prevent
types of intrusions that can be damaging. The sooner you know about them, the more you can
contain them and limit the damage. There's also the shift in perception more toward directness of
being real about what the risks are.
Lastly, there's the shift in perception about moving from an adversarial position on what your
weaknesses are to looking at that as the very fundamental step to remediation and getting to that
level of containment. It all sounds very powerful.
Help me better understand how we get companies, for those who are listening, to shift
perceptions about security.
South: That’s always a strong question that has to be put to your executive team. How do we
shift the understanding and the culture of security? In our case, our executive team realized that
one of the fundamental things that was important for security of our company as a whole was
that security had to be baked into everything that we did.
So we've taken that shift. The message that I take out to my people, and certainly to the people
who are listening to this podcast, is that when you want to improve that security culture, make
security the core of everything that takes place in a company. So whether you're developing an
application or working in HR, whether you're the receptionist, it doesn't matter. Security has to
be the central principle around which everything is built.
7. Core principle
If you make security the adjunct to your operation, like many companies do, where security is
buried several layers down in the IT department, then you don't have the capability of making it
the fundamental and core principle of your company. Again, it doesn't matter who you are in a
company, you have some aspect of security that is important to the company itself.
For us, the message that we're trying to get out to people is to wrap everything you do around the
security core. This is really big, particularly in the application world. If you look at many other
traditional ways that people do application development, they'll develop a certain amount of the
code and then they'll say, "Okay, security, go check it."
And of course, security runs their static and dynamic code analysis and they come back with a
long list of things that need to be fixed, and then that little adversarial relationship starts to
develop.
Los: John, as you're talking about this, I think back. Everybody's been there in their career and
made mistakes. I'll readily admit that this is exactly what I was doing about 12 or 13 years ago in
my software security role.
I was a security analyst. The application would be ready to go live. I'd run a scan, do a little bit of
testing and some analysis on it, and generate a massive PDF report. Now you either walk it over
to somebody’s cube, drop it off, walk away, and tell them to go fix their stuff, or I email it, or
virtually lob it over the wall.
There was no relationship. It's like, "I can't believe you're making these mistakes over and over.
Now go fix these things.” They'd give me that “I am so confused. I don’t know what you're
talking about look." Does it ever get fixed? Of course, not.
South: And, Raf, the days of finishing a project on Thursday, turning it over to security, saying,
"This is going live on Friday," are long gone. If you're still doing that, you're putting your
company at risk.
Los: Agreed.
Gardner: Perhaps, Raf, for those of us who are in the social media space, where we're doing
observations and we're being evangelists, that there is a necessary shift, too, on how we react to
these security breaches in the media.
Rather than have a scoreboard about who screwed up, perhaps it's a better approach to say who
took what problems they had and found a quick fix and limited the damage best. Is there a need
for a perception shift in terms of how security issues in IT and in business in general are reported
on and exposed?
8. Los: I absolutely believe that rather than a shamed look, it's always better to lead by example,
and hold those who do a good job in higher esteem, because then people will want to aspire to be
better. I fundamentally believe that human beings want to be better. It's just we don’t always have
the right motivations. And if your motivation is, "I don’t want to be on that crap list," for lack of
a better term, or "I don’t want to be on that worst list," then you'll do the bare minimum to not be
on that worst list.
People will respond
If there's a list of top performing security companies or top performing companies that have the
best security culture, whatever you want to call it, however you want to call that out, I firmly
believe people will respond. By nature, people and companies are competitive.
What if we had an industry banquet and we invited everybody from all the heads of different
industries and said, "Nominees for best security in an industry are, finance, health care,
whatever?" It would be a show like that, or something.
It wouldn't have to be glitzy, but if we had some way of demonstrating to people that your
customers in the world genuinely care about you doing a good job -- here are the people who
really do a good job; let's hold them up at high esteem rather than shame the bad ones -- I think
people will aspire to be better. This is always going to work going forward. The other way just
hasn’t worked. I don’t see anything changing.
South: I think that's the right direction, Raf. We still have some effort to go in that direction. I
know of one very, very large company, and one of their competitors had been breached just
recently. So I called a contact I had in their security group and passed on the malware. I said you
might want to check to see if this is in your organization.
He said, thanks and I called him up a couple of days later and I asked, "How did it go?" He said,
"Upper management kind of panicked for a little bit, but I think everything settled down now."
This was code for "they didn't do much."
We have some progress still to make in that direction, but I think you're absolutely correct that
the more these people see successful examples of how you can deal with security issues, the
more it's going to drive that cultural change for them. Too often they see the reverse of that and
they say, "Thank God that wasn’t us."
Gardner: We need to start to close out, but another interesting issue here is that you can't look at
just technology without considering the culture, and you can't consider the culture without the
issues around the technology.
What's changing on the technology side that either of you think will lead to perhaps an
improvement on the culture? Is there something that comes together between what's new and
interesting about the technologies that are being deployed to improve posture around security
9. and that might aid and abet this movement toward openness and the ability to be direct, and
therefore more effective in security challenges?
Los: We're looking at each other for a good answer to that, but one of the keys is the pace of
change in technology. That technology, for a number years, in our personal lives, used to lead
technology in the business world.
So a laptop or desktop you had at home was usually in the order of magnitude greater than what
was sitting on your desktop at the office and your corporate phone would be an ancient
clamshell, while you have your smartphone in your pocket for home use.
Fewer devices
What's starting to happen is people are getting annoyed with that, and they want to carry fewer
devices. They want to be able to interact more and organizations want maximum productivity.
So those worlds are colliding, and technology adoption is starting to become the big key in
organizations to figure out what the direction is going to be like, what is the technology trend
going to be. Then, how do we adapt to it and then how do we apply technology as a measure of
control to make that workable? So understand technology, understand direction, apply policy, use
technology to enforce that policy.
South: And it's finding what elements of technology are relevant to what you're doing. You see a
large push today on bring your own device (BYOD), and the technologies that are making almost
a commodity of the ability to handle information inside your company.
The biggest challenge that we are facing today is being able to make relevant technology
decisions, as well as to effectively apply that new technology to our organizations. It's very
simple, for instance, put a product like an iPad onto your network and start using it, but is it
effectively protected and have you thought about all of the risks and how to manage those risks
by putting that device out there?
Technology is advancing, as it always does, at a very high clip, and business has to take a more
measured response to that, but yet be able to effectively provide something for its employees, as
well its costumers, to be able to take advantage of the new technologies in today's world.
That's what you're seeing a lot in our customer base and the payments space in mobile
technologies, because that's the direction that a lot of the payment streams are going to go in the
future, whether it be contact or contactless Europay, Mastercard, and Visa (EMV) cards or
phones that have near field communication (NFC) on them. Whatever that direction might be,
you need to be responsive enough to be able to be in that market.
As you said, it's technology that’s driving something of the business itself, as well as the business
and the culture in the company being able to find ways to effectively use that technology.
10. Los: It's kind of funny, because just as every technology is innovative, it helps us, whether it's
perform commerce faster, be safer, do something better. Every one of those comes with risk,
whether it's NFC, web applications, mobile, card, whether it's whatever you name today. There
are limitations in security types of issues with everything, and it comes down to what we're
willing to deal with, what controls can we put around it to mitigate it, and what's the outcome at
the end of the day.
South: Exactly. And if things go wrong.
Los: Then what?
South: How do we detect it, how do we resolve, how do we contain it, and how do we respond
to it?
Los: Yup.
Gardner: Maybe even better than saying if things go wrong, have the attitude of when they go
wrong.
Los: Absolutely.
South: That has to be your attitude today, because it's no longer a question of if I put the right
trenches and walls in place, can I hold these guys off, because even if I didn’t have a connection
to the Internet, people can still get to my information and take it away. It has to be an attitude of
we'll work from the assumption of breach and build our defenses from there. So it goes back to
Raf’s concept of MTTD, which of course assumes that you have detected it.
Los: Right, that it is an assumption.
South: And measure it from there, but that’s the only approach you can take, because if people
take an approach that I can keep it away from me, we call those people targets.
Gardner: I'm afraid we will have to leave it there. Please me join me in thanking our co-host,
Raf Los. He is the Chief Security Evangelist at HP Software. Thank you so much, Raf.
Los: It’s always a pleasure to be here.
Gardner: I'd like also like to thank our supporter for this series, HP Software and remind our
audience to carry on the dialog with Raf on his own blog and through the Discover Performance
Group on LinkedIn.
I'll also like to extend a huge thank you to our special guest, John South, Chief Security Officer
at a Heartland Payment Systems. Thank you, sir.
South: Thank you, Dana. I appreciate it.
Gardner: And you can gain more insights and information on the best of IT Performance
Management at http://www.hp.com/go/discoverperformance.
11. And you can also always access this and other episodes in our HP Discover Performance Podcast
Series on iTunes under BriefingsDirect.
I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your co-host and moderator for this
ongoing discussion of IT innovation and how it’s making an impact on people’s lives. Thanks
again for listening, and come back next time.
Listen to the podcast. Find it on iTunes. Sponsor: HP
Transcript of a BriefingsDirect podcast on the need to recognize the inevitability of a security
threat and devise ways to respond quickly and openly. Copyright Interarbor Solutions, LLC,
2005-2012. All rights reserved.
You may also be interested in:
• Security Officer Sees Rapid Detection and Containment as New Best IT Security
Postures for Entperprises
• Investing Well in IT With Emphasis on KPIs Separates Business Leaders from Business
Laggards, Survey Results Show
• Expert Chat with HP on How Better Understanding Security Makes it an Enabler, Rather
than Inhibitor, of Cloud Adoption
• Expert Chat with HP on How IT Can Enable Cloud While Maintaining Control and
Governance
• Expert Chat on How HP Ecosystem Provides Holistic Support for VMware Virtualized
IT Environments