John South joined Heartland Payment Systems when it still was reeling from a devastating breach…and it's the best career decision he's ever made. Dan Kaplan reports.
Joining a payment processor a mere nine months after it was plundered by hackers of more than 100 million customers credit card numbers might seem like a risky, if not desperate, employment decision. But for John South, who in September 2009 took the role as Heartland Payment Systems' chief security officer, he couldn't have timed the move any better.
Before Heartland, South toiled for nearly two decades in security jobs where his role was administrative in scope, and every request for budget support was a feckless battle with the rest of the IT department. But with Heartland, he knew that the 3,000-employee payment processor had, even before sustaining the breach, tightly aligned security with its overall business model. The problem was that it always lacked one key ingredient: sound, experienced and strategic security-specific leadership. South was just the person to fill that void, and now, at 62, he's got a comfortable seat at the boardroom table.
“Obviously there's that risk when you're coming into a company that suffered a major breach that viability is something you have to be careful of,” South recalls. “But having talked to the principals and a number of other players in the company, I could see a real dedication to not only mitigating the breach, but keeping the company moving forward.”
Three-and-a-half years later, South has overseen the gutting and successful reconstruction of its security infrastructure. South, who is SC Magazine's 2013 CSO of the Year, was brought in to help transform the new operation into a “sustainable and reliable” part of Heartland's business. In addition, he established an internal audit group that conducts regular compliance checks, even though Heartland knows firsthand that compliance doesn't equal security.
South, who also is an adjunct professor at the University of Dallas, was recruited to work at Heartland's Plano, Texas location by Kris Herrin, now the processor's chief technology officer, who was only a couple of months on the job when the breach was discovered. Herrin formerly reported to South at Alcatel-Lucent, where South ended a 19-year stint as director of information security in January 2008. In fact, he was one of the first people Herrin called when he learned of the breach.
South's past year largely has been spent creating Heartland's application security program, which concentrates not only on external apps – remember, Heartland's attackers leveraged an SQL vulnerability to stake their initial foothold – but also internal ones. South also is significantly ramping up the company's security awareness program. For example, he recently oversaw an exercise in which a small portion of workers received fake phishing emails. The security team was interested in learning how many people would click.
“Information security is one of the most significant corporate missions and continual challenges at this high-growth company,” says Charles Kallenback, general counsel and chief legal officer at Heartland. “John's work with the board, the audit committee, senior management, IT, operations and corporate development is absolutely integral to ensuring that information security is embedded in everything that is done at Heartland.”