Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Sooner or Later You’ll Get Hacked and Hire a CISO

I always thought the marketing campaign for AAA was genius; sooner or later you’ll breakdown and join AAA. A few wise individuals will hand over the cash when they proactively decide to curb their risk, and the rest will find themselves trying to sign up while stranded on the side of the highway. We’re seeing a similar storyline play out in the world of security.

I always thought the marketing campaign for AAA was genius; sooner or later you’ll breakdown and join AAA. A few wise individuals will hand over the cash when they proactively decide to curb their risk, and the rest will find themselves trying to sign up while stranded on the side of the highway. We’re seeing a similar storyline play out in the world of security. In our case, not only do we have a few insightful leaders recognizing the risk and others experiencing security system breakdowns – we are also seeing immense pressure from customers, regulators and shareholders.

IT Security LeadershipJust last month I wrote a SecurityWeek column titled: Are We Ready to Take These Breaches More Seriously Now? I talked about the Target breach and how this was the most recent example of serious fallout from security failures. In this case, Gregg Steinhafel, a 35-year veteran of the company was forced to resign amidst pressure from their massive pre-Christmas data breach. Therefore, it wasn’t much of a surprise when a couple weeks ago I read about Target Corporation hiring former GM chief information security officer (CISO) Brand Maiorino. In a press release on their website Target said the following:

June 10, 2014 – Today, Target Corp. (NYSE: TGT) announced it has hired Brad Maiorino as senior vice president, chief information security officer. 


Maiorino joins Target effective June 16 and will be responsible for Target’s information security and technology risk strategy helping to ensure that the company, its guests and team members are protected from internal and external information security threats. He will report to Bob DeRodes, executive vice president and chief information officer.

I certainly applaud the move. Anyone who has spent significant time in the security industry is aware of Brad and the credentials he brings to the table. My question remains however, what took Target so long to realize they needed someone like Brad in this position?

While I have been talking for years about the need to elevate the role of security in organizations, which a CISO helps you accomplish, there is another important reason for having someone in this position that probably isn’t talked about enough. That is removing the siloed approach to security from our organizations. Having that one person who is charged with security for the entire entity ensures that a holistic view is being applied.

When you examine the Target breach more carefully you will see that it wasn’t a breakdown in technology, but a lack of coordination and communication that ultimately led to the security failure. Target did not cheap out on their security, they had all the tools in place to raise the red flags that something was amiss. But there was no central point of security to pull all of this information together and create a clear picture that something was wrong and needed to be further investigated.

Now I’m not naïve enough to sit here and tell you that appointing a CISO will solve every problem in your organization or guarantee you will never suffer a breach. However, having a CISO not only solves the diffusion of responsibility problem by putting one person in charge, it also helps to transform the security culture in your organization. It encourages more executive involvement with the security process, as they have one C-level point of contact they can meet with to get an organizational view of security – not a bunch of breach statistics in bits and pieces.

Upon accepting the role at Target Corporation, Maiorino had this to say:

Advertisement. Scroll to continue reading.

“I am looking forward to joining the Target team and helping them continue the progress they have made to be a retail leader in information security and protection. I am confident that the combination of a strong team and the leadership commitment will enable us to achieve that objective.”

A strong team and the leadership commitment. Those are the magic words for a successful security program right there. Too bad Target didn’t have a CISO uttering a statement like that one prior to suffering a major breach. We are definitely a society more prone to reacting than being proactive. However, when it comes to cybersecurity, that is a luxury we simply can’t afford. So hire a CISO and tear down the security silos.

Related Reading: Target CEO Exit Highlights Business Side of Security

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.