The CEO of Target Corp., Gregg Steinhafel, resigned from the company on May 5, 2014, just five months after one...
of the biggest data breaches to date. The CIO, Beth Jacob, had already resigned two months earlier in the wake of the breach. These resignations came in response to a breach that affected one in three Americans through stolen credit card data and personal information. Although the CEO's departure was not solely based on the massive data breach, it was a major contributing factor -- a first for a non-tech company. Following the breach, the company's 2013 fourth-quarter profits plunged 46% compared to the previous year and Target CFO -- and interim CEO prior to Brian Cornell's appointment --John Mulligan had to apologize in front of Congress.
Rearranging after Target
Target has struggled to achieve growth for several years due to what the board of directors identified as underinvestment in key areas by Steinhafel. It was the board's opinion that this underinvestment impacted the information security systems and personnel, contributing to the breach. Opinions seem to be divided on whether the attack could have been prevented with investment in technology alone. Target lacked a CISO, so information security reported to several different executives. Investment in security leadership positions, like the CISO, may have helped unify the disparate security teams and increased their chances of detecting the attack.
The Target data breach became the turning point for some organizations to finally prioritize an information security strategy. There is a new awareness of the importance of information security even with companies that continue to take big security risks. Information security professionals now have the opportunity to sit at the executive table for the first time. These pioneers will be blazing a new trail while under considerable scrutiny from company leaders. Their actions will determine if information security will continue to have a seat at the table in the future.
This newfound status can dramatically increase the leverage that the CISO has in moving projects forward. It will be critical to build a solid information security strategy for the organization in order to use this leverage effectively. Other executives will be keenly interested in this strategy and the funding resources required, as the funds will likely be redirected from their budgets. There are no new financial resources from which to draw, so the demands from the information security strategy must be within realistic funding boundaries.
Communicating with executives
The CISO typically avoids using Fear, Uncertainty and Doubt (FUD) to describe information security risk except in rare situations. The problem with FUD is it could label the CISO as paranoid and out of touch with the business. The Target breach and others like it proved that not only can the worst-case scenario occur, but it happens regularly to other companies. The time to sugarcoat the potential security risks has passed and CISOs can now communicate risk more directly with company leaders. They should not exaggerate risk, but present it realistically in order to maintain credibility.
The newfound leverage and the ability to communicate directly to the CEO and other executives are the upside of managing a security program after the Target breach. There are also downsides to this newfound position, as it does not come without some serious implications.
CISOs may find themselves under considerable scrutiny and micromanagement as pressure mounts from other executives to secure corporate assets and meet project deadlines. There will also be more intense political maneuvering now that the CISO is a peer of the CIO. This could be particularly intense if there are conflicts over shared resources.
CISOs will need a strong team to delegate tasks to while they build relationships with other executives and establish political capital. They will also have to be organized and transparent about department initiatives. Project management disciplines are an effective means to document and report the progress of these initiatives. The CISO must also understand the business in order to effectively communicate to the CEO and always keep in mind that they have many different priorities to manage beyond security.
The Target data breach is a turning point that is increasing the importance of information security. CISOs and other information security leaders will find themselves with added leverage but not without added stresses. This new attention to information security will allow more direct communication about risk without being labeled as FUD. Development of an information security strategy will be important to set and communicate project goals and realistic budgets. Political capital will be even more important to acquire larger resource allocations. The CISO may find themselves under much more pressure and scrutiny now that other executives finally understand the level of security risk after the Target breach.
It is an exciting time for information security.
About the author:
Joseph Granneman is SearchSecurity.com's resident expert on information security management. He has more than 20 years of technology experience, primarily focused in healthcare information technology. He is an active independent author and presenter in the healthcare information technology and information security fields. He is frequently consulted by the media and interviewed about various healthcare information technology and security topics. He has focused on compliance and information security in cloud environments for the past decade, with many different implementations in the medical and financial services industries.
Was Target PCI DSS-compliant at the time of the breach? Find out what our experts say.
Who was held accountable for the massive 2013 Target breach?