John South joined Heartland Payment Systems when it still was reeling from a devastating breach…and it's the best career decision he's ever made. Dan Kaplan reports.
Joining a payment processor a mere nine months after it was plundered by hackers of more than 100 million customers credit card numbers might seem like a risky, if not desperate, employment decision. But for John South, who in September 2009 took the role as Heartland Payment Systems' chief security officer, he couldn't have timed the move any better.
Before Heartland, South toiled for nearly two decades in security jobs where his role was administrative in scope, and every request for budget support was a feckless battle with the rest of the IT department. But with Heartland, he knew that the 3,000-employee payment processor had, even before sustaining the breach, tightly aligned security with its overall business model. The problem was that it always lacked one key ingredient: sound, experienced and strategic security-specific leadership. South was just the person to fill that void, and now, at 62, he's got a comfortable seat at the boardroom table.
“Obviously there's that risk when you're coming into a company that suffered a major breach that viability is something you have to be careful of,” South recalls. “But having talked to the principals and a number of other players in the company, I could see a real dedication to not only mitigating the breach, but keeping the company moving forward.”
Three-and-a-half years later, South has overseen the gutting and successful reconstruction of its security infrastructure. South, who is SC Magazine's 2013 CSO of the Year, was brought in to help transform the new operation into a “sustainable and reliable” part of Heartland's business. In addition, he established an internal audit group that conducts regular compliance checks, even though Heartland knows firsthand that compliance doesn't equal security.
South, who also is an adjunct professor at the University of Dallas, was recruited to work at Heartland's Plano, Texas location by Kris Herrin, now the processor's chief technology officer, who was only a couple of months on the job when the breach was discovered. Herrin formerly reported to South at Alcatel-Lucent, where South ended a 19-year stint as director of information security in January 2008. In fact, he was one of the first people Herrin called when he learned of the breach.
South's past year largely has been spent creating Heartland's application security program, which concentrates not only on external apps – remember, Heartland's attackers leveraged an SQL vulnerability to stake their initial foothold – but also internal ones. South also is significantly ramping up the company's security awareness program. For example, he recently oversaw an exercise in which a small portion of workers received fake phishing emails. The security team was interested in learning how many people would click.
“Information security is one of the most significant corporate missions and continual challenges at this high-growth company,” says Charles Kallenback, general counsel and chief legal officer at Heartland. “John's work with the board, the audit committee, senior management, IT, operations and corporate development is absolutely integral to ensuring that information security is embedded in everything that is done at Heartland.”
Outside of Heartland, South has been instrumental in promoting information sharing around threat intelligence, something he believes is paramount if the good guys stand a fighting chance. He sits on the board of directors at the Financial Services – Information Sharing and Analysis Center (FS-ISAC). In 2009, he helped create a subgroup, known as the Payments Processing Information Sharing Council (PPISC). South also believes in enforcement. In 2003, he helped stand up the U.S. Secret Service North Texas Electronic Crimes Task Force, and is a founding member of the region's FBI InfraGard program.
“John has provided his mentorship to me, personally, and to countless individuals who have benefited directly from his experience,” says David Bentz, assistant director of Group Services, a Fort Worth, Texas-based security services and consulting firm. Besides being “scary smart,” Bentz, a retired Secret Service agent in Dallas, adds that South is a “man of character and dedication.”
In a Q&A, SC Magazine asked South to comment on current and future trends, and to define his technology and project roadmap at Heartland.
SC Magazine: How would you describe today's security threat landscape?
John South: Today's security threat landscape is the most dynamic and aggressive we have ever seen. We have focused threat actors, some with nation-state protection, attacking more targets than ever. Whether it's criminals monetizing their attack strategies or nation-states attacking our critical infrastructures and intellectual property, the financial and tactical rewards are enabling them to invest in building powerful capabilities. They are actively developing new techniques and tactics to affect their strategies, and are easily luring new members into their ranks. Most importantly, cyber criminals know what targets they want to hit and when they will hit them.
SC: What is your biggest gripe with the way security is done these days?
JS: Information sharing is still having growing pains. There are some important agencies and corporations dedicated to tracking malicious activity and terminating it, but in some notable industries, it is still difficult to disseminate actionable intelligence on potential attacks to the large number of businesses, particularly smaller businesses. As a result, companies and individuals continue to be breached every day.
The information sharing movement can only get traction if it gets federal attention, funding and resources that would enable the intelligence agencies, federal law enforcement and the carriers to establish a comprehensive program for defending and alerting our infrastructure, companies large and small, and even individuals when they are threatened. A second and equally critical requirement is that the Department of State takes diplomatic action against those nations that harbor these criminals or conduct nation-state attacks themselves.
SC: Are we getting anything right? Said another way, are the adversaries beatable?
JS: Absolutely. We are seeing much more information sharing across government agencies (though there is plenty of room for expansion) and among corporations. Businesses are getting the message that security issues can no longer be their dirty little secret or their competitive advantage.
SC: Are the adversaries beatable? That's more complex. Today, the adversaries have a definitive advantage of time, target selection and the great tool of the internet to attack virtually anybody at any time. In particular, social media networks are enabling them to enlist the aid of other groups to assist in their attacks, providing an almost inexhaustible supply of labor. In many cases, these groups and recruits have either direct nation-state protection or at least a nation-state that supports their actions.
With these advantages, they probably can't be beaten. Just like bank robbers and drug dealers, cyber criminals and nation-state actors are part of a criminal lethality that will never go away. But we should all collectively strive to make it so difficult for them to conduct their attacks that it depreciates their economic and political incentives and cripples their operations. At best, we may eventually reach a point where we can effectively stop the majority of attacks at the carrier level then track the criminals down and bring them to justice.
SC: What is on your future agenda at Heartland?
JS: My agenda is to continue improving Heartland's security strategy to take advantage of emerging technologies, such as BYOD and the cloud, while staying focused on the security implications of merging these technologies into our infrastructure. I will also continue to press for improvements in industry-government sharing and advocate that the value in the intelligence that we gather is in the sharing of it.
SC: What are the threats/newer applications that you think you and others in your position must address this year? How will you do this?
JS: One of the major threats that will be facing all of us over the next year is the increasingly aggressive DDoS attacks against elements of our critical infrastructure. I would not assume that these attacks will be only aimed at major companies like we have recently seen focused toward the major banks. As cyber criminals perfect their attack vectors, I would expect to see new targets to emerge in the weak links of corporate networks, such as the crucial junctures of companies' supply chains as well as their customers' networks. Attacking the weaker links may give the adversaries an edge in compromising the country's critical infrastructure.
BYOD will challenge all of us as this is, but the tip of the ever-evolving iceberg. Over the next few years, I expect to see more applications and infrastructure built around mobile platforms. Cloud computing will have similar challenges for us in the future, particularly in maintaining full diligence of data and applications. In the cloud, the presence of data may take on all new meanings.
SC: What are the security technology essentials that organizations should have in place?
JS: One of the more important tools, as always, is a comprehensive logging and review process. Today, it's critical that this capability be tied into an active intelligence process that allows trained resources to quickly and efficiently identify anomalous behavior. Two other technical capabilities can be associated with this process. As our adversaries need to be able to communicate back to their own devices, having a mechanism for quickly identifying command-and control-channels as they are established is essential. In addition, as we share malware and attack indicators, having a tool that allows you to quickly locate the presence of the indicators on the network provides a distinctive edge.
SC: What tips would you give to individuals looking to enter the field of information security?
JS: Build a strong base of understanding around the technical side of security, but be able to discuss your strategies in business terms. You will have to sell your ideas to your business leaders and perhaps even your company's board of directors; therefore, you must be able to build a business case around your strategy to show not only the technical but business advantages. The more lucid and compelling an argument you present, the better chance you have of selling and implementing your idea. In addition, if you are completely new to the field of information security or if you are still in school, try to find a company that is offering an internship program, which will give you an opportunity to showcase your capabilities and gain relevant experience.
SC: What's your best advice to others when it comes to building a strong security program?
JS: The most important aspect of building of a strong security program is having the right team, and the right size team, in place. There's no right answer to what the right number of people is; no magic formula exists. However, it's essential that you have team members who can operate effectively without direct supervision, who can independently decide how to approach a security question and who act as internal security consultants. As such, security team members need to understand how to listen to business leaders and help translate their needs into a strong security program. While this process needs to start early in the project lifecycle, the security team should be engaged throughout the various stages of development and deployment.
SC: How will the role of the CSO look in five years? In 10 years? In 20?
JS: In the next five years, I expect that we will see increasing turmoil as criminals and nation-states continue to develop and use their capabilities to attack our infrastructure as well as the networks and computers of companies and individuals. The incentives for our adversaries far outweigh the repercussions. But we aren't just going to be sitting around, as I believe corporate and federal law enforcement will increase the use of offensive tactics and weapons, and implement better defensive capabilities.
My projections for 10 and 20 years out are a bit more fuzzy. But wherever that may take us, we need to ensure that security stays engaged early and often in new projects. One thing that is fairly apparent about the future is that there will be a glut of open security jobs as baby boomers phase out of the workforce. There are few colleges and universities that are educating students with degree programs focused specifically on security. nurtured. This is where active mentor and internship programs can help identify new talent for your organization.
SC: Any hobbies, destination spots or other more personal areas of your background that you would like to share?
JS: My wife and I have taken up running (after a long hiatus for me, a new adventure for her). Though we both enjoy competing in 5K races around Plano, [Texas], we have a long way to go before we get competitive. But, at least at this time for us, it's about the running and not the medals. It's fun to challenge ourselves to improve, even if the only reward is in knowing that we finished.