This kind of incompetence directly endangers the privacy and security of anyone who does business with Panera. And it's reminiscent of the kind of incompetence that characterized the Equifax breach and other recent high-profile hacks.
Maybe it's time that a subset of IT workers become professionally licensed and liable, like engineers.
I made this recommendation a couple of years ago when a careless sysadmin left a MySQL dump on a public web share. The response I received is still relevant:
>Requiring a license would wind up making such qualified people more expensive to hire, and companies would ignore it and hire those without licenses to save money.
It would be just about impossible to enforce, naturally, and would be like firing the Senior Developers and hiring fresh graduates.
He has a CISSP (or so says his LinkedIn) though, and on Wikipedia it says DoD, ANSI and NSA value or approve of it and its holders have a higher salary on average.
And we're talking about the director of security with 17 years of security experience here, (he also spoke at Akamai Edge 2015), not a common programmer or admin, I'd assume he already isn't too cheap to hire with those credentials? And that a company that size doesn't skimp on it's directors?
Then again they'll probably lose nothing over this leak and their response.
Being passive aggressive is even somewhat justifiable if they really get that much scamming but taking offense at someone asking for a PGP key isn't nor is ignoring Dylan's emails repeatedly for 6 days when he asked if his encrypted information came through.
Plus the whole "we are working on it" and then not doing anything for 8 months. Did he throw what Dylan sent him away? And then the fix that required you to login (with an ordinary customer account) to get all customers' data instead of exposing it to the internet. They also told fox only 10 000 customers were affected, treated Krebs like an idiot to the point that he went on a Twitter rant against them and he and others were posting links to other holes, web accessible admin login panels of various things, etc. and saying their website should be taken down (which it now is).
On his LinkedIn page it says he has CISSP[0] and has had four security jobs (Panerabread being his fourth) so far between 2000 and now.
He also might have spoke at Akamai Edge 2015 as a security expert (some internal page comes up if you Google his name called 'speaker details' and in the URL the ID of the event leads to Akamai Edge 2015).
[0] - I've no idea if it's good for anything but according to Wikipedia DoD, NSA and ANSI approve of it and it makes the salaries of its holders higher.
I suppose there are many ways to choose the subset. Maybe software engineers in specific verticals: medical technology, avionics, etc.? Given the number of security breaches lately, CSO seems like a no-brainer, too.
Solution Architecture is where I would go if I wanted to credential IT folks like engineers or CPAs. Require the license if you are accountable for implementing a solution that hits various thresholds.
Infosec is an area where there is already a problem with credential collectors, and in many places it is just a dressed up audit/compliance function. It’s not a standalone vertical imo.
This kind of incompetence directly endangers the privacy and security of anyone who does business with Panera. And it's reminiscent of the kind of incompetence that characterized the Equifax breach and other recent high-profile hacks.
Maybe it's time that a subset of IT workers become professionally licensed and liable, like engineers.