About six months after suffering a massive data breach, and subsequently removing its CIO and CEO, Target has selected its first Chief Information Security Officer, or CISO. Brad Maiorino served in a similar capacity at General Motors, reports CSOonline, an interesting choice, given that he is not coming from a retail background.
However, writes Antone Gonsalves at Computerworld, experts worry that this is another misstep by Target. The new CISO will report to Target’s brand-new CIO, Bob DeRodes, when he should be reporting directly to the interim CEO, John Mulligan, they say.
Especially given its lax attention to its security stance in the past, Target is making a mistake in not making its new focus on security one of the highest priorities, observers say. The CIO’s full slate of responsibilities could create a situation in which security is once again given short shrift in this type of hierarchy, IT-Harvest Chief Research Analyst Richard Stiennon, “CIOs have to deliver on projects and keep things operating and quite often security controls and measures slow things down. So they launch things in an insecure mode and of course, after that it’s too late.”
CSOonline, while noting that industry risk advisory companies call Target’s hiring of a CISO, no matter who he reports to, “too little too late,” says the company is not alone. Neiman Marcus, which suffered a data breach around the same time as Target’s, is also scouting for a CISO for the first time.
When I recently spoke to Jeff Northrop, CTO for The International Association of Privacy Professionals (IAPP), about IAPP’s new privacy certification, he stressed that the responsibility for data privacy and security must be given the appropriate stature:
Privacy risk is relatively new, and grows as new uses for data grow. Organizations are scared, and they’re not quite sure how to proceed. At this point, policies, etc. may still be dispersed, but the person managing the mitigation strategies needs to be at a high level for a cohesive strategy. In that model, as data propagates, risks don’t spread.
And a Reuters piece on large U.S. corporations looking into bringing on CISOs if they don’t already have them says that, at the same time, a number of corporate boards are actively seeking to add directors with security expertise to more directly help them make better-informed assessments. The piece names current and former CIOs with security knowledge from the Department of Defense, Dell SecureWorks and AT&T as individuals who have recently been approached to fulfill this need on boards of directors.