One veteran industry chief information security officer said Target Corp.'s decision to create a dedicated CISO role is a good move in the wake of its massive 2013 holiday data breach,
The perception though is that passing an audit every year means they are secure. That's the danger of compliance-based security.
Tom Bowers, principal security strategist, ePlus Technologies Inc.
The Minneapolis-based Fortune 500 retailer lost approximately 40 million credit and debit card numbers -- as well as personal data such as phone numbers and emails for 70 million customers -- as part of the company's epic breach. The fallout of the incident included the resignation last week of Target Chief Information Officer Beth Jacob, a company veteran who was reportedly one of several executives that was overseeing information security duties.
In a letter obtained by the New York Times, Target CEO Gregg Steinhafel detailed his organization's plans to create a CISO position for the first time, as well as a chief compliance officer position to replace the company's outgoing vice president of assurance, risk and compliance. Steinhafel explained that the company will be conducting the CISO search though Promontory Financial Group, and is focused on hiring an outside candidate.
"While we are still in the process of an ongoing investigation, we recognize that the information security environment is evolving rapidly," Steinhafel said in a statement.
Tom Bowers, principal security strategist for Herndon, Va.-based ePlus Technologies Inc., was unsurprised by the resignation of Jacob, noting that it was "pretty troubling" for an organization of Target's size to not have an executive role dedicated to information security. Bowers said he consistently encounters large organizations that lack a CISO, though he has also found more board members willing to press the C-suite on cybersecurity issues.
Bowers said enterprises without a dedicated security executive will likely struggle with the fundamentals of enterprise information security. For example, he said CIOs that handle security duties on their own are often unable to adequately articulate a company's security risk to the CEO, and instead rely on the organization's compliance status as a security barometer.
"A lot of the organizations I deal with say they are SSAE 16-certified. Well, from a CISO perspective, that is the lowest common denominator for security on the planet," Bowers said. "The perception, though, is that passing an audit every year means they are secure. That's the danger of compliance-based security."
Todd Bearman, CISO for New York-based professional services firm Towers Watson, agreed that CIOs sometimes have conflicting responsibilities, which means they may not be the best figure to manage security tasks, such as balancing the desire to introduce new services with the need for restrictive security measures.
Bearman said he worries that organizations may see appointing a CISO as a final step in addressing security, when in reality, the conversation should focus more on putting the risk management processes in place to address each organization's unique needs. As an example of a different approach that works for his organization, Bearman said he provides security program updates to key business committees and the board of directors at Towers Watson, not directly to the CEO, as the security community often advocates.
Bearman said he communicates key risks and what his team is doing to mitigate them, mostly on a non-technical level. The key to the process from a CISO's perspective, he noted, is understanding that security risk is just one of many business risks that need to be addressed by C-suiters, meaning he can't just "tell them the sky is falling and ask for more money."
Bearman said high-level executives will care about information security if they receive the right info conveyed in a language they understand, regardless of whether it comes from a CISO.
"It doesn't matter if I report to the CIO or legal in that case," Bearman said, "as long as the governing process with the right committees and the right paths to the decision makers exists."
Press the flesh
Though appointing a CISO can be an important first step in a security program overhaul, both Bowers and Bearman emphasized that companies need to find the right person for the role and empower that individual to make decisions.
Bowers said that all chief information security officers should focus on building relationships with C-level executives and members of the technical team. CISOs should pay particular attention to the needs of different departments and stakeholders, according to Bowers, and try to explain how security can enable those efforts, rather than hinder them.
When Bowers became CISO of the Virginia Community College System a number of years ago, he personally visited with all of the directors to build those relationships and to develop a better understanding of just how security intersects with the needs of the organization.
"The CISO has to be able to talk to the C-suite and translate security needs into business risk terms, and then translate those business needs from the CEO down to the security team," Bowers said. "You've got to be able to talk both ways. Clearly, that wasn't happening [at Target]."
Bearman employed the same strategy in his current role, where he performed a stakeholder analysis during the first few months in the position. Though a CISO must understand the technology side of security, Bearman said it is more important to first understand the business environment, especially in situations such as the one Target found itself in.
"The challenge will be going into the business and getting to know the leaders that are going to be helpful -- or those that are your obstacles -- and figuring out what has maybe caused them to stop trusting security or [stop] buying into it," Bearman said. "You've got to understand the environment you are in and plot your course forward knowing that it's not just going to be about pitching people and selling; it's going to be about building relationships."
Bearman also said some of the CISOs he has encountered feel more like IT security managers than true C-level executives. Ultimately, while filling the CISO position may bring certain benefits, Bearman cautioned that merely having a warm body in the role isn't enough to actually improve security. Instead, organizations must analyze the entire security strategy and, if the position exists, ensure the CISO's concerns are heard by the decision makers.
"Companies can hire a CISO and restructure a little bit, but [they can] still have an incident," Bearman said. "The key is that they go to leadership with the gaps and employ a really good risk management process that shows where the things are that should be fixed, and what are the risks that the company is perhaps willing to accept."