NEWSLETTERS
 

CIO.com updates, insights and advice on technology, management and your career.

 
 
 
SUBSCRIBE TO CIO
 
Are you involved in setting the direction for your company's IT budget or strategy?

Apply today for a FREE subscription to CIO Magazine!

 


Fri, Aug 15, 2008 16:52 EDT

Former Hannaford CIO Has Harsh Words for Microsoft and PCI DSS

Topic: Enterprise Management

Current Rating: 5 Comment: 1

The Hannaford Supermarket chain suffered a data breach earlier this year that resulted in information relating to 4.2 million payment cards being grabbed. As of July 1st, Bill Homa, who had served as CIO for 12 years, stepped down from that position.

Shortly after his departure, Homa was interviewed by Storefrontbacktalk.com's Evan Schuman. In an article based on their discussion that was published July 11th, Homa shares some interesting comments regarding Microsoft, the PCI Data Security Standard, and the approach other CIOs should take towards security.

Relating to Microsoft, Homa said, "We used a lot of Linux. None of the breach was anything related to Linux. All of it was Microsoft. Homa went on to say, "Microsoft is so full of holes. That's why it's still a target. If you limit your exposure to Microsoft, you're going to be in a more secure environment."

When it comes to the PCI Data Security Standard and Hannaford's situation, including the oft-reported fact that Hannaford had recently passed a PCI compliance assessment, Homa siad, "either the standards weren't strong enough of the assessor wasn't doing his job."  Homa made his opinion particularly clear on the area where Hannaford was apparently most vulnerable - encrypting data on private point-to-point networks. "All debit and credit card transactions should be encrypted from end to end. That should be the minimum. It's astonishing that isn't the standard of PCI", Homa stated in the interview.

What was of particular interest was Homa's view of how to approach IT security. "Most retailers have the philosophy of keeping people out of their network. It's impossible to keep people out of your network. There are bad people out there", Homa said. In fact, Homa, in another part of the article, suggested that more effort needs to be focused on the assumption that the bad guys will get in and how can you limit the damage they can do.

As you might expect, Mr. Homa's comments have led to some interesting feedback. I find it especially interesting that the CIO who was in charge during the breach has so much to say less then two weeks after he left Hannaford's employment. It would be pretty easy to write this off as sour grapes, but I think we can at least take his comments about securing the data within your infrastructure as a good reminder that sooner or later, someone with malicious intent will find a way into your systems, either from within your company or from outside.

If your organization struggles to understand how your systems are configured and when those configurations change, especially as it related to the PCI Data Security Standard, you should spend some time researching configuration audit and compliance reporting solutions like Ecora Auditor Pro. It's a valuable weapon for identifying potential configuration vulnerabilities and providing you the insight needed to limit the effectiveness of anyone improperly accessing those areas of your infrastructure where sensitive customer and corporate data resides.

You do not have flash or javascript support.
Average (1 vote)
5
 
 
Thu, Jan 22, 2009 9:29 EST
Anonymous user
Posted by: Anonymous
Rating: 90

I found your article while searching for advice on how to get started documenting our systems with the intent of getting a handle on complianace and security issues. We are currently using the Adivo TechWriter (www.adivo.com) line of documentation generator products to get a baseline on our databases, XML schemas, and web services. But because we are starting from ground zero, I'm not sure this excercise is a good starting point. The "configuration audit and compliance reporting solutions" that you mention seem rather complex and expensive... any thoughts or recommendations for smaller organizations getting started?

Start a Conversation
Click to post

Got something to say? We want to hear it! Click the Post button to get started. GO»

EXPERT ADVICE
See our roster of experts.

Advice & Opinion from more than 108 of IT's most insightful thinkers.

  PARTNERS       WEBCASTS    
 

Preparing for the Next Cyber Attack

Ensure you are up-to-speed on the latest security technologies available to keep your network safe in this Executive Guide. Get a thorough assessment of the corporate security threat landscape. Protect your network with data leakage protection, NAC and other technologies explained in this report.

Sponsored by Qwest  Read this Executive Guide »

 

Cloud Building: 8 Ingredients for Internal Clouds

Cloud computing: a fundamentally new way to deploy IT services and functions cost-effectively and quickly. Learn how the VMware vCloud initiative dramatically improves how consumers access their information and experience applications as well as the 8 ingredients to get you going.

Sponsored by VMWare  Read this White Paper »

 

Investing in Business Analytics Technology

You're thinking now is the time to take the plunge into business analytics, but you still have some unanswered questions. This research summary addresses the most common questions and concerns surrounding the successful launch of a business analytics initiative. It also includes real-world examples of organizations already getting return on their investment.

Sponsored by SAS  Read this White Paper »

Resource Alerts

Get instant email notifications by topic when white papers, webcasts, and case studies are added to our library.

Resource Alerts

Get instant email notification when white papers, webcasts, and case studies are added to our library. Don't just be up-to-date—be up to the minute with our new Resource Alerts.

Improving Transparency and Accuracy in IT Cross Charging

During this Webcast you'll learn how KBC Group implemented SAP BusinessObjects Profitability and Cost Management and realized many benefits.   View Now »

 

Cost Savings and Risk Reduction with Effective Systems Management

Join us and see how Novell can help you respond to today's economic challenges by increasing productivity, reducing costs and aligning IT initiatives with overall business goals.  View Now »

 

Capitalize on Your SAP Content

Learn ways to improve your content management by viewing these Open Text webinars today.  View Now »

Resource Alerts

Get instant email notification when white papers, webcasts, and case studies are added to our library. Don't just be up-to-date—be up to the minute with our new Resource Alerts.

 
NEWSLETTER

Sign-up for the Blogs & Discussion Newsletter

 
FEATURED SPONSORS
 
 
 
SPONSORED LINKS
 

Introducing the new HP ProLiant G6 server family

Accenture: Outsourcing for Competitive Advantage. More...

Better spam protection with Postini for just $1/user/mo

Introducing the new HP ProLiant G6 server family

infoBOOM! - The Mid-Sized Company CIO's Exclusive Community

Accenture IT Consulting: Logical meets technological. More . . .

The Fraudster Economy Model: Operating a Business in the Underground

Trade in your old laser printer and get up to $1000 back!

Taking the Service Desk to the Next Level

Revolutionizing Enterprise Application Deployment

Why Data Loss is Increasing--and What You Can Do About It

Data Loss Prevention: A Better Way to Approach Security

Learn how to managing client systems in the enterprise.

Build a High-Performance Open Web Platform

Mid-Sized Company CIO Community: infoBOOM!

Enterprise PBX Comparison Guide

Getting Value from Outdated Networking Equipment

Losing Ground: 2009 TMT Global Security Survey

Stop Application Fraud at the Source with Device Reputation

Learn about the VMware vSphere (TM) & Intel (R) Xeon (R) Processor 5500 Series

Learn how a virtualized enterprise can help your company reduce costs

Why Isn't Server Virtualization Saving Us More?

Learn how to save 30% through project & portfolio management.

How Open Source is Changing the Face of Enterprise Software

8 Key Ingredients to Building an Internal Cloud

Accenture IT Consulting: Enabling high performance. More...

Top Five CIO Challenges

Insight makes it easy to spend your Microsoft subsidy check.

Five minute business analytics assessment. Immediate results.

Dangerous Collaboration Practices: 5 Ways IT Can Minimize Risk

Accenture: Outsourcing for uncertain times. Click to learn more.

The Case for Investing in Business Analytics Technology. Read white paper.

Live Webinar: Applying Business Analytics. Click here to learn more

Seven Ways ITIL Can Help You in an Economic Downturn

Developing A Dynamic, Real-Time IT Infrastructure

Maximizing the Business Value of the PC Infrastructure

Communications and Collaboration Needs at Business Organizations

Using Open Source to Deploy Web Applications

Cloud Computing: Read about VMware's compelling vision & set of products

Enterprise PBX Buyer's Guide

Secondary Market Primer: Your Network at Half Price

How Interactive Viewer Reduces the Effort to Meet Visualization Requirements

Top-line Performance that's Bottom-line Efficient

White Paper: 8 Key Ingredients to Building an Internal Cloud

Read about virtualization and consolidation effort best practices

Building the Virtualized Enterprise with VMware Infrastructure

The Global Marketplace Today: Strategies for Tough Times

Top 10 Business and IT Drivers for the Wealth Management Sector

5 Steps to Automating Accounts Payable

Bottom-Line Benefits of Virtualization