Heartland CEO must take responsibility

Upon reading Bill Brenner from CSO's interview with Heartland Payment Systems CEO, Bob Carr, I kind of got a bit unglued. I wasn't the only one, as Rich Mogull provided a much more respectful and well reasoned response than I could to voice similar disdain for the idea of blaming a data breach on the QSA. And our buddies Michael Farnum and Martin McKeay were happy to summarize and add their own spin.

So Bill was kind enough to allow me to vent a bit on CSO. You can read it in all it's glory:  http://www.csoonline.com/article/499565/One_Man_s_View_Heartland_CEO_Must_Accept_Responsibility

Here are a few of the money quotes:

"I say that's a load of crap. It's about time organizations suffering from a data breach owned up to the fact that they made a mistake. You see, the fine folks at Johnson and Johnson didn't throw the pharmacy under the bus when Tylenol got poisoned in 1982, did they? NO! They accepted responsibility (even though it wasn't their fault) and re-established trust with their customers."

"That, my friends, is the responsibility of the internal security team. That's what they do, and that's what they get paid for. And in Heartland's case, that's what they clearly failed to execute."

"But you have to hand it to Mr. Carr. He is proving to be a master at misdirection."

Basically, I'm not in the excuses business and neither should you. Organizations need to man up and accept responsibility when something happens on their watch and it needs to start at the top, with the CEO. So Bob Carr, you should be wearing a FAIL WHALE hat right now, wherever you are.