There has been a lot of hiring and firing within Target’s executive leadership after their publicly acknowledged data breach earlier this year. The CEO and CIO officially resigned, though were likely pressured to leave their positions as damage control all the bad publicity surrounding the breach.
The fallout from the breach has not only hurt Target’s financially, but also diminished its image as a retailer. To improve the financials as well as the public perception, Target needed new leadership to guide the company moving forward. That is, until the next data breach occurs.
Lessons From The Target Breach
As Target hires their first CISO, Brad Maiorino, should he expect to get fired when another exfiltration of data occurs? Are the new CEO and CIO going to be planning for job security and positioning the CISO role to be doomed for failure? The thought has probably crossed the mind of the incoming CISO, and he should be prepared for such a situation.
The Target breach has provided a wealth of lessons for IT security leaders. IT Security leadership is changing and so are the demands associated with the job. IT security leaders can no longer sidestep responsibility. The next breach could mean your job. As Maiorino assumes his new job at Target, there are some good questions he should be asking himself and the organization. Questions that any new IT security leader should ask.
Where Does Infosec Sit in the Corporate Governance Structure?
If corporate governance acts as the conscience of the company, then information security needs to know where that conscience is. .
In March, former Target CEO Gregg Steinhafel announced plans to overhaul the company’s information security and compliance practices. That includes hiring a chief compliance officer and creating the new CISO position. Maiorino will report directly to Bob DeRodes, Target’s newly hired executive vice president and chief information officer. Because this is a newly-created position, Maiorino will have to learn to navigate Target’s corporate structure, working closely with DeRodes and the incoming chief compliance officer (a position that has yet to be filled).
It is important for all IT leaders to understand their role in the corporate structure. Specifically, there needs to be clear expectations regarding who owns what corporate governance responsibilities.
Without clear lines of ownership, attention to detail starts diminishes, short-cuts emerge, and sensitive data becomes threatened. When the inevitable breach happens, it leads to lawsuits, federal investigations, and resignations en masse as we have already seen with Target.
As such, any new leader must understand where he/she sits in the entire structure. Moreover, IT security leaders must forge working relationships with the other senior managers within the organization. That means becoming the conscience of the company without becoming a nuisance of the company. Which leads to the next big issue new IT security leaders must address.
Is Information Security Really a Priority?
High profile breaches, like Target, often propel information security into a top priority. Right now, it is a good time to be a CISO at Target because information security is going to be a priority for the next six months. But, will it remain a priority?
In the wake of the breach, Target has already taken the following steps to enhance security:
- Enhanced monitoring and logging
- Installed application whitelisting point-of-sale system
- Implemented enhanced segmentation
- Reviewed and limited vendor access
- Enhanced security of accounts
- Committed to smartcards for Target REDcard customers using MasterCard’s chip-and-PIN solution
- Invested $5 million in a joint campaign to educate consumers about cybersecurity, working in conjunction with the National Cyber-Forensics and Training Alliance, the National Cyber Security Alliance, and the Better Business Bureau
- Joined the Financial Services Information Sharing and Analysis Center
These are all good steps, but this means that there will be a lot of eyes on the CISO’s decisions and direction with internal security.
If security is really a priority, then it must translate into authority and action. IT leadership is in a good position to exert influence and move the organization in a positive direction. Part of this is to assume there will be another breach, and begin reducing risk across the entire organization.
Performing a comprehensive, organizational risk assessment is a good place to start. An honest, independent risk assessment can help senior management understand if adequate controls are in place. Moreover, done correctly, a risk assessment can also begin influencing these teams. It is important that the risk assessment be truly objective, and engage the entire organization in a realistic conversation about risk.
With help from DeRodes, and the chief compliance officer, Maiorino must make sure that information security remains the company’s top priority by leveraging his responsibility to effectively implement new controls to secure online transactions. Only then will Target begin to slowly regain customers’ trust.
What Resources are Available?
If information security is really the organization’s top priority, then there must be resources available to realize that. New IT security leaders must work with financial and planning teams to identify the resources available and prioritize adjustments within the company both for operations after the disaster, and for long-term business continuity.
This is why performing an organizational risk assessment is so important. Properly performed, a risk assessment should identify the areas where the organization has the most serious threats and focus resources on those areas.
For Target, this will be a challenging conversation with CFO John J. Mulligan (who is also currently serving as interim president and CEO). They must identify what is allocated to information security across multiple projects and groups. Building a strong relationship with the CFO is important. However, it is important for any new IT security leader to recognize that resources are finite. No matter how much of a priority IT security is, there is only so much money available.
Target’s Maiorino will be in a good position to leverage more cash and resources out of the company due to the data breach and the ensuing public relations nightmare. Mulligan will be less likely to curtail funds for information security infrastructure if Maiorino aligns the company’s strategic goals with that of new information security practices.
Where are We Going?
Meaningful security change takes time. Part of making security changes stick is for the organization to see there is a long-term strategy for improvement. As such, it is vital for IT security leaders to have intimate conversations with other leadership on the long-term vision of the organization.
While the creation of security leadership position, like Target’s CISO, is a big step in recovering from a data breach and regaining consumers’ trust, it can often devolve into a superficial public relations effort. This is why the organizations needs more than rhetoric, they need a serious plan and the language to back that plan.
In Target’s case, they made a clear statement that this investment has a real, long-term plan. Speaking on the company’s first-quarter earnings, Mulligan said:
While we are pleased with this momentum, we need to move more quickly. As a result, we have made changes to our management team and are investing additional resources to drive U.S. traffic and sales, improve our Canadian operations and advance our ongoing digital transformation. We have updated our 2014 earnings expectations to reflect the impact of these investments and believe that they position Target for accelerated profitable growth as a leading omnichannel retailer.
Understanding the company’s long-term goals helps the CISO craft his expectations and stake out his position within the organization while integrating Target’s security needs with the company’s future.
If he doesn’t respect the company’s long-term business goals, Maiorino might soon be handing in his own resignation. While he may have to take all the blame when another breach occurs, with proper handling and adherence to proper information security governance, Maiorino could come out unscathed.
These questions are really just the beginning for any IT security leader. Ultimately, the new leader needs to begin building a sustainable security program that both anticipates and prevents the next breach. Target is once again providing an excellent platform to analyze the changing nature of IT security. More specifically, Target is showing how IT security leadership cannot hide behind policy, programs, and politics. Security breaches now have real, tangible impact on IT security leaders, including losing your job and respect.
Today’s IT security leaders need to take a whole new approach to management. They need to look beyond controls and checkbox audits to understand the whole security picture. Moreover, they need to start asking some hard questions of themselves and their employer.