I read with interest and an upset stomach the interview on CSOonline.com by Bill Brenner with the CEO or Heartland Payment Systems. I think the next thing that he should do is just step down, take his golden parachute and go home. I find it absolutely inexcusable and irresponsible for him to put the blame anywhere but on his and Heartlands own shoulders. The only way he could blame anyone outside of Heartland for this would be if he contracted out all of his network and security services to a 3rd party and Heartland had no oversight into it. He has a team of professionals in networking, systems, applications and security that are responsible for designing, deploying, managing and securing the environment. It’s not the responsibility of the QSA to secure the environment. Their job is to validate what they are given and told by their client. If the client gives them false information then that is what they have to work with. They can’t go through every part of the environment with a fine tooth comb and check everything.

Rich Mogul and Mike Rothman have written their responses and thoughts on this. I’d recommend that you read their thoughts because they have some good things to say that I’m not going to repeat. What I do want to focus on is the lack of responsibility that Heartland is apparently accepting in this. If they can’t own up their own mistakes then how can we trust them with our credit card info. If we can’t trust them to be responsible in this then how can we trust them to be responsible in any other way. Not only that but he is sending the message to his teams who are responsible for his network that they don’t really have to concern themselves with doing things right because he will just “pass the buck”.

Apparently they haven’t learned anything from either other companies who have had major issues (Enron, Johnson and Johnson, TJX, MCI, etc) who have responded in both in the right and wrong way. They seem to think that they can just sweep this under the rug and that it will go away. Robert Carr is going to add his name to a long list of the disgraced if he isn’t careful. He may come out of it with a pile of cash but he will have lost something much more important, his integrity. He needs to step back VERY quickly and change his tune and take the responsibility that is rightly his.

We’re seeing this more and more. People at all levels lying, cheating, and pushing responsibility off to others. Recently there was a poll where companies (or their representatives) purposefully gave Auditors misleading information so that they would look better than they really were. There have been surveys taken where security professionals admit to taking data from their employers that they weren’t supposed to have. There have been incidents where IT and Security Pros have planted virus and logic bombs, reset passwords, deleted databases, etc….. It’s really shameful and sad.

Recently one of the email lists that I’m a member of had a discussion regarding a small company that had some problems with a project that didn’t go as planned. The boss wanted to fire the guy that he saw as being responsible for the problem instead of taking responsibility himself for problems that he clearly should have been on top of.   I once worked for a company where Management did all they could to pass decision responsibility on to someone else “just in case” it went wrong. The standard answer was “What is your recommendation?” or if asked as direct question in email they would avoid replying so that there wouldn’t be a written record of their decision.

So what do we do about this? Unfortunately there isn’t much we can do about someone else who refuses to take responsibility except to remove ourselves from any association with them. What we have to do is take responsibility for the actions of ourselves and the teams that we lead. Then hopefully others will see how in the long run it really does pay off and then they will follow our example.