Six Lessons From The Target Security Debacle

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.forbes.com/sites/peterhigh/2014/05/05/six-lessons-from-the-target-security-debacle/

Target CEO Gregg Steinhafel has resigned effective this morning. This is a
key moment for boards, CEOs, and CIOs the world over.  This comes roughly
two months after the company’s CIO Beth Jacob resigned also in the fallout
of the infamous data breach that the company announced on December 19,
2013.  If this could happen to highly regarded executives like Steinhafel
and Jacob, at a company that was considered one of the world leaders in
data management, this could happen to you, too!

I am in the throes of a series on board-level CIOs.  Through the course of
conversations with the CIOs of companies like FedEx )FDX -0.64%), Cardinal
Health (CAH +0.24%), Texas Instruments (TXN -0.17%), and Intel (INTC
-1.1%), I have been heartened to hear that there are a number of companies
that are seeking the counsel of CIOs who have successfully balanced
IT-based innovation with securing the data of the enterprise.  Sadly, most
companies do not yet have that voice in the board room to provide that
balanced perspective.

The Target (TGT -3.11%) news is an opportunity to re-think the wisdom of
proceeding without the counsel of a talented IT voice in board-level
conversations.  Like so many disasters, it will likely cause some companies
to swing the pendulum toward dramatic security measures that put a governor
on innovation. This would have disastrous implications, as well. Here are
six thoughts on what companies should do to better secure the enterprise
while ensuring that innovation still reigns:

First, ensure that your CIO has successfully guided your company or others
through security issues. This may sound odd. Wouldn’t you want a CIO who
has never had a security breach of any kind? If a CIO indicates that they
have a 100% record in preventing security issues, it may well mean that he
or she has not monitored security as well as he or she should. As the old
adage goes, there are two kinds of companies: those that have experienced a
breach, and those who are simply not aware that they have. If you have a
CIO who is in the latter camp, either ensure that he or she has a strong
network to leverage to draw lessons from, or consider a new CIO.

Second, hire a seasoned Chief Security Officer (CSO) or Chief Information
Security Officer (CISO).  The CIO role is so complex, and to an increasing
extent is focused on innovation. By definition, innovation means risk. Risk
is not a bad thing. In fact, it is essential. The CSO/CISO and his or her
team ought to be the filter to help the company understand when new or old
ideas are increasing the risk to the company to an extent that
counter-measures are necessary, while also ensuring that the existing
infrastructure (physical and virtual) remains secure.

Third, ensure there is a comprehensive approach to security.  Physical
security and data security are often linked. Unfortunately, in many
companies, security has evolved almost like the creatures on the Galapagos
Islands. Some functions are proactive and creative in their approaches,
while others are slow moving and largely ignorant.  A well-balanced and
comprehensive approach that is led by a single executive is optimal.  That
executive should have team members in each of the functions and business
units of the company, as well. It is also important to note that study
after study have pointed out that the biggest risk to companies is actually
internal rather than external bad actors.  This requires solid and well
communicated guidelines about how to access company data, how to allow
multiple devices (both company issued and personal) to access it securely,
and what to do in the case of an issue. This then leads to the next idea.

Fourth, develop a well tested disaster recovery and business continuity
plan.  Many companies have nicely documented BC/DR plans, but  a healthy
majority never tests them comprehensively.  Putting the plans into action
only when an issue has arisen means that they are being put into action too
late.  Develop solid plans, but test them with some frequency. The
learnings of each test need to be well documented, and new approaches that
reflect the evolving risk to the company are also essential.

Fifth, seek the counsel of outsiders.  This means speaking with executives
from other companies about issues that have arisen to share perspectives
and approaches. Security best practices should be shared to a greater
degree since they should not be the source of competitive advantage.  The
more one can learn from the issues that have arisen elsewhere means that
mistakes need not be made within your company. Also, the security landscape
is much to complex to have an insular stance and perspective.

Sixth, and lastly, it is important to ensure that security be a board-level
topic. Some companies are making the CSO or CISO a peer to the CIO, and
having that person report to the CEO.  This is often a good idea, as it
gives that executive a degree of objectivity and independence internally,
and it ensures that that person will have the credibility and weight of
opinion in board meetings.  Companies should increasingly invite technology
experts onto the board, as well, to ensure that all discussions are
filtered through a security lens.

There are a wide array of process and technology recommendations that
dovetail from these six. The pace of innovation in the security space is
such that companies generally, and CIOs, CSOs, and CISOs more specifically,
must remain abreast of new vendors and solutions, and ensure that tools and
processes provide both proactive and reactive ability when it comes to
security.

A disaster is a terrible thing to waste.  Clearly this lesson is not lost
on Target, who has hired one of the most talented and seasoned CIOs in Bob
DeRoades.  No doubt, a comparably talented and seasoned CEO will be hired
to replace Gregg Steinhafel. Worse than letting the disaster go to waste is
to repeat the mistakes of another company.  Companies must act to ensure
that this same fate does not befall them.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!