No Sophomore Slump for SC World Congress
The second annual SC World Congress was held recently in New York City, and Text 100’s Grace Pai-Leonard was there to join the dialogue.
For those of you who aren’t familiar, SC World Congress is an event put on by Haymarket Media, publishers of SC Magazine, and can be considered an East Coast version of the RSA Conference USA – just far more intimate and with an international flair.
This year, the event was held at the Sheraton Towers, which was a huge improvement over the cavernous Javits Center last year. Thanks to a lot less open space, the show was bustling with delegates and exhibitors.
Logistically it was an improvement as well, as anyone who has tried to get to an event at the Javits can attest.
The biggest draw of the show was the Day One keynote from Heartland Payment Systems’ CEO Bob Carr. We’re talking standing room only, with people even squatting on stairs on one side of the room until the ushers swept through.
It was interesting to listen to Carr recount the story of Heartland’s notorious breach, for two main reasons. First, he talked about the timing of the disclosure, which coincidentally (or conveniently, if you’re a conspiracy theorist) fell on Inauguration Day. According to Carr, the malware was found on a Friday before a holiday weekend, so they reported it the next business day, meaning it was temporarily overshadowed by that little news story of Obama taking the Oval Office.
Hey, security breaches can happen whenever. I’m not going to say otherwise. But the timing certainly raised a few eyebrows in the church of Transparency and Openness. You be the judge, and remember that when it comes to breach notification, sooner is better – once you have the facts.
The other observation from Carr’s keynote was that he didn’t stray from the party line with his comments about QSAs, stating “Reports from QSAs aren’t worth much.” He did, however, surprise us by not entirely bashing PCI, and instead indicated that it’s “a good standard that needs to be improved.” And then, as expected, he plugged end-to-end encryption as the answer.
Carr’s comments raise a whole bunch of questions: Can one member of the payment chain be solely responsible for a breach? Shouldn’t accountability be shared? Security guru Rich Mogull of Securosis makes a strong case for why it’s the chief executive’s job to take ultimate responsibility.
Is there such a thing as a silver bullet for security, whether end-to-end encryption or something else? The consensus, as articulated by PCI’s Bob Russo, is that security must follow a layered approach.
Feel free to weigh in. We’d love to hear your thoughts.
In the meantime, thanks to SC World Congress for bringing the security community together on the East Coast. We’re already looking forward to next year.