Target finally gets its first CISO
That it often takes a data breach to get one is a sad reality for many companies, analyst says
Computerworld - Target has hired a chief information security officer (CISO), a move that's noteworthy mainly because it is the first time the company has ever had anyone in this role, even though it is one of the largest retailers in the U.S.
Target on Tuesday announced that Brad Maiorino is its new senior vice president and CISO. In that role, Maiorino will be responsible for managing Target's technology risk strategy and for taking steps to avoid a repeat of the massive data breach at the company last year.
Maiorino was previously the chief information security and information technology risk officer at General Motors, where he was responsible for overhauling the auto maker's global information security organization, Target said in a statement.
Prior to GM, Maiorino was CISO at General Electric. As Target's CISO, Maiorino will report to Bob DeRodes, the company's recently appointed CIO.
Target's decision to hire Maiorino comes about six months after the company disclosed a massive breach that exposed data on about 40 million credit and debit cards and personal data on about 70 million customers.
Target's security practices came under intense scrutiny following the breach, with many faulting the company for not having basic precautions in place for detecting and responding to the intrusion. The breach has already cost Target's former CIO Beth Jacobsen her job and was at least partly responsible for Target CEO Gregg Steinhafel's decision to step down as well.
Recently, Institutional Shareholder Services (ISS), a company that advises institutional shareholders on governance risk and proxy voting issues, said it wanted seven of Target's 10 board directors voted out for not paying enough attention to data security risks.
The report noted that Target's board should have been aware, even before the breach, of the possibility of theft of sensitive information given the company's size and the number of credit and debit card transactions it handles.
Consequently, the company's move to appoint a new CISO and a chief compliance office appears to be a case of too little too late, ISS noted. "The addition of these 'new' positions raises serious concern about how Target could have been running a business of its size and complexity without these permanent roles," the report said.
Target, though, is not the only large company guilty of such oversight.
Neiman Marcus, another big name retailer that suffered a recent data breach, is also only now looking to hire a CISO. In a recent job ad, the company said it is looking for a vice president and chief information security officer to establish and maintain an enterprise-wide information security program.
The position will be responsible for "identifying, evaluating and reporting on security risks in a manner that meets or exceeds compliance and regulatory requirements," the job ad noted.
A recent survey-based report by PwC on the state of U.S. information security practices (download PDF) found that a "vast majority" of the companies that participated had cybersecurity programs that fell well short of recommended best practices. For instance, just 28% of the companies had a CISO.
The fact that many companies, including large ones like Target, get religious about security only after a breach is a surprising, but "sad reality," said Richard Stiennon, principal security analyst at IT-Harvest.
Companies like Target should have hired a CISO years ago -- particularly after breaches at companies like TJX, which highlighted the threat retailers face, Stiennon said. "Nobody pays attention to security until after an intrusion. It is the same story playing out even after a decade" of high-profile breaches.
Target's decision to choose a security executive from the manufacturing industry is also interesting because it would have made more sense for the company to hire someone with experience in retail, Stiennon added.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!