Former Hannaford CIO: Avoid Microsoft And Change PCI's Encryption Rules

Bill Homa, who just stepped down July 1 as the CIO for the 165-store Hannaford grocery chain, considers Microsoft's OS to be "so full of holes" and describes the fact that current PCI regs do not require end-to-end encryption as "astonishing."

But Homa's key point is that most retailers handle security backwards: Don't pour everything into protecting the front door. Assume they'll get through and have a plan to control them once they're inside.

One of the most frustrating IT security realities in retail today is the quintessential oxymoron: The more serious the CIO is about keeping data secure and the more sophisticated a defense is deployed, the more points of vulnerability emerge.

For example, an especially risk-averse IT exec might opt for multiple distant off-site backup locations, which only increases the number of potential places and subcontractors that could lose—or maliciously access—those data files. Or security specialists who install a wide range of cutting-edge and redundant security applications may find themselves at the mercy of any crash-causing glitch in any of them.

Consider PCI. The most dedicated PCI program is subject to the whims of a potentially careless assessor, who would also be a potential data leak. Then there's operating system changes for the sysadmin dedicated enough to immediately download and install every patch and security update, only to find that they open more holes. A less aggressive effort might have been spared that pain, as the community identifies the hole before it's installed.

This came to mind as I was chatting the other day with Bill Homa, who on July 1 could say for the first time in 12 years, "Today, I am not the CIO of Hannaford."

PCI-compliant Hannaford was, of course, the victim of an especially large data breach (data from 4.2 million payment cards grabbed).

Homa has become a fan of simplification in battling security. "We used a lot of Linux," Homa said. "None of the breach was anything related to Linux. All of it was Microsoft."

Asked whether he believed that Microsoft is less secure because it's truly less secure software or whether its overwhelming marketshare makes it a cyber thief target, Homa said it was the other way around. Microsoft's marketshare is not what attracts so many attackers. "Microsoft is so full of holes. That's why it's still a target," he said.

Would he counsel other CIOs to avoid Microsoft like the plague? "That's what I'd do. If you limit your exposure to Microsoft, you're going to be in a more secure environment," he said, adding that Microsoft's philosophy is decentralized, forcing IT to manage more points. That means more license fees for Microsoft and more potential security gotchas for the CIO. "Hence, you see my aversion to Microsoft."

As for the oft-repeated song that Hannaford was breached while PCI compliant indicates some sort of a PCI indictment, Homa said it comes down to two things: "Either the standards weren't strong enough or the assessor wasn't doing his job."

He finds particular fault in one aspect of the current PCI standard: "All debit- and credit-card transactions should be encrypted from end to end. That should be the minimum. It's astonishing that isn't the standard of PCI," which only requires encryption when transmitting over a public network such as IP.

The PCI rationale is that private point-to-point networks—such as the one Hannaford uses—are sufficiently secure that they don't need encryption. Homa disagrees. "Nowadays, encryption is not that expensive. And there's no such thing as a secure network," he said. "If you think your network is secure, you're delusional."

Homa has his own strong security strategy, which seems to be a minority view. It's futile, he said, to continually pour resources and time into securing the front door and windows of a house that is being relentlessly attacked by well-financed thieves with plenty of time. Instead of spending so much effort trying to keep the bad guys out, assume they'll get in.

"Most retailers have the philosophy of keeping people out of their network. It's impossible to keep people out of your network. There are bad people out there. How do I limit the damage they can do? If you don't do that, they'll have free reign to do whatever they want."