NotObvious On Heartland
I posted this also to the securitymetrics.org mailing list. Sorry if discussing in multiple venues ticks you off.
The Not Obvious blog has an interesting write up on the Heartland Breach and impact. From the blog post:
“Heartland has had to pay other fines to Visa and MasterCard, but the total of $12.6 million they have set aside to handle the one-time costs is a drop in the bucket compared $1.5 billion in 2008 revenue and does not really even skim much off the top of the $161 million in profits from that same year (the numbers for 2009 look to be tracking the same). It is almost a guarantee that any member of the class action who submits a claim will see many years of scrutiny before receiving any payment, something which Heartland can factor into their yearly financial plans (and accommodate for by increasing fees).”
For thought:
- One wonders how much a “sufficient” (loaded term, of course) InfoSec program for a company like Heartland costs on an annual basis.
- Does this set a sort of “worst case” bounds to impact distributions?
- If so, how does a worst case impact of ~$13million (US) impact security management at retailers (politically)?
According to their 10-Ks, “We have developed a number of systems that are designed to improve the effectiveness of our sales force, customer service and the management of our business. In 2008, 2007 and 2006 we spent $5.9 million, $4.2 million and $2.5 million, respectively, on capitalized software development costs. Many of the following systems are accessible over the Internet through http://www.e-hps.com. Each of these systems is regularly updated, with new releases of software scheduled every six weeks”.
So, $12.6M is more than twice what they spend on their on-going software development costs.
My guess is even without an information security management program, companies like Heartland can at least afford to spend $15k/release (assuming every six weeks) on third-party application assessments that would include findings such as SQL injection. This might be a good starting point, at the very least. 2% of software development budget has been tossed around as an indicator for software security budget in the past.
Better — they would partner with an application security consulting firm, which would involve spending millions of dollars over several years. The impact of such efforts would probably pay off in several different areas of quality and security improvement.
My guess is that companies such as Heartland spend almost all, or at least 60-80%, of their security budget on end-user systems and issues. InfoSec is likely not tied to capital planning or enterprise architecture.
With over a half-billion dollars in assets, and as a payment processor, I would think Heartland would be heavily invested in risk management. It’s extremely unlikely that they are willing to eat $13M annually for these types of costs. Let’s say, for example, that a company such as this spends $1M annually on their information security management program (note that this is less than one-fifth of a percent of their total assets). Verizon Business suggests spending these dollars on online data versus spending it on end-user systems, based on asset classes by percent of breaches and records.
You don’t have to be Gunnar Peterson to make a top-level decision to heavily invest in the areas prescribed here.