FireEye, Target and Trustwave do the Tango

Previously, I mentioned that FireEye provides 24×7 proactive monitoring services called Managed Defense that it sells as an add-on to its security platform. Basically, the FireEye service supplements the client’s Security Operations (SecOps) team, where FireEye acts as a backup team making sure breaches are stopped before they cause harm. For now, regarding the Target breach, it seems that FireEye is off the hook, and Trustwave is on it.

The lawsuit filed against Target and Trustwave is going to enlighten the security community as to what really happened before, and after the breach. The goal is to learn from history so this incident doesn’t repeat itself. If Trustwave did provide proactive monitoring services to the Target SecOps team while the breach occurred, and at the same is performing PCI compliance audit services, the breach just opened up a huge can of worms. The breach is a big deal for Trustwave. However, there is a much more serious matter that might challenge the Trustwave business model. The guiding principal of Auditing 101 is to avoid the conflict of interest.

 Trustwave Business Model is Now Challenged

If Trustwave sells compliance services, security products, and security services, there is an issue that is beyond Trustwave, as it is an issue with the system itself and the PCI Security Standards Counsel (PCI-SSC). Why did the PCI-SSC allow a company to perform compliance services, and sell technology services at the same time? If history is any teacher, than we need to look back no further than a decade ago, when the Big 5 Accounting firms encountered the same issue, when they were auditing the client’s financials, and also providing IT services to the same client. We all know how that turned out.

The bottom line, this lawsuit is going to challenge the Trustwave business model, and the PCI-SSC for allowing this to happen in the first place. If I’m Trustwave, what do I do? Do I sell off the auditing services to a KPMG, or do I split the company in two, where one performs compliance services and the other sells technology solutions. As far as what’s the best thing to do from this point on, I will leave that to the Harvard suits. FireEye, Target and Trustwave do the Tango