Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

America’s Do It Yourself Warehouse Shines a Light on the Problem of Do It Yourself Security

Late last month, Home Depot reported 56 million cardholders were compromised in what The New York Times called the “largest known breach of a retail company’s computer network.” To put that number in perspective, 40 million cards were compromised in the

Late last month, Home Depot reported 56 million cardholders were compromised in what The New York Times called the “largest known breach of a retail company’s computer network.” To put that number in perspective, 40 million cards were compromised in the Target breach, 2.6 million in the Michaels breach, and 350 thousand in the Neiman Marcus breach.

According to reports, the hack hasn’t significantly impacted Home Depot’s growth prospects, and the company announced last week that sales have progressed as expected this quarter. However, we have seen a direct correlation between security breaches and lost revenue. Target missed analyst estimates due to large-scale security concerns – and the hack also cost chairman and CEO Gregg Steinhafel his job. According to reports from Bloomberg, the world’s largest home-improvement chain expects to pay about $62 million this year to recover from the incursion, including everything from call-center staffing to legal expenses. Insurance will pick up $27 million of that tab.

Something about the Home Depot breach strikes me as a bit ironic. This company has been a major part of the DiY (do it yourself) movement – and unfortunately, we have seen that trend spill over into areas that should be the domain of professionals. Of course, I’m thinking of information security.

We’ve all fallen victim to the HGTV effect at one point or another. They bring in an expert with decades of experience to do a major project, and at the end of the 30-minute program, we get to see the flawless finished product. When it looks that easy, we can’t help but think, “I could do that.”

Having the right tools always helps. After a quick trip to Home Depot, I might have everything I need to build a sturdy table or tile a floor. But no amount of professional-grade equipment is going to make it possible for me to build an entire house. You need more than great tools to complete a project of that scope – you need serious experience and know-how.

Similarly, in security, a good tool can go a long way. While I work for a vendor that sells penetration testing tools, we’re the first people to acknowledge that software and hardware alone are not enough to manage a massive enterprise security program. You need security professionals and experienced leaders who can keep the team (and the tools) operating effectively. Just as a professional contractor can make an old kitchen look like new, a security professional can help you put the proper protocols and processes in place.

A great example of relying on tolls and not on talent can be seen in Target. They invested heavily in high-end security tools. Everyone in the security industry knows they had FireEye in place, and when an intrusion was detected, it worked just as it was supposed to. It identified the issue, but nobody within the security team ever addressed it. While they had the right tools in place, they didn’t have an effective process for responding to the red flags the tools were generating. Perhaps the biggest indication that they valued tools over know-how was that they didn’t have a chief information security officer (CISO) in place. Without a leader who has visibility into the entire security operation, who would be responsible for implementing and maintaining those essential protocols and processes?

For some reason, corporations think nothing of bringing in professionals for finance related activities, human resources, training, etc. but are hesitant to spend money on true security professionals. I’m all for do it yourself and I am a big fan of both Home Depot and the weekend project. However, I am also a big believer that certain activities should be left in the hands of trained professionals. Taking on a small-scale security project? The right tool might be enough to get your team by. Running a major enterprise security program? You better have experienced leadership in place to tackle that job.

Advertisement. Scroll to continue reading.
Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.