Late last month, Home Depot reported 56 million cardholders were compromised in what The New York Times called the “largest known breach of a retail company’s computer network.” To put that number in perspective, 40 million cards were compromised in the Target breach, 2.6 million in the Michaels breach, and 350 thousand in the Neiman Marcus breach.
According to reports, the hack hasn’t significantly impacted Home Depot’s growth prospects, and the company announced last week that sales have progressed as expected this quarter. However, we have seen a direct correlation between security breaches and lost revenue. Target missed analyst estimates due to large-scale security concerns – and the hack also cost chairman and CEO Gregg Steinhafel his job. According to reports from Bloomberg, the world’s largest home-improvement chain expects to pay about $62 million this year to recover from the incursion, including everything from call-center staffing to legal expenses. Insurance will pick up $27 million of that tab.
Something about the Home Depot breach strikes me as a bit ironic. This company has been a major part of the DiY (do it yourself) movement – and unfortunately, we have seen that trend spill over into areas that should be the domain of professionals. Of course, I’m thinking of information security.
We’ve all fallen victim to the HGTV effect at one point or another. They bring in an expert with decades of experience to do a major project, and at the end of the 30-minute program, we get to see the flawless finished product. When it looks that easy, we can’t help but think, “I could do that.”
Having the right tools always helps. After a quick trip to Home Depot, I might have everything I need to build a sturdy table or tile a floor. But no amount of professional-grade equipment is going to make it possible for me to build an entire house. You need more than great tools to complete a project of that scope – you need serious experience and know-how.
Similarly, in security, a good tool can go a long way. While I work for a vendor that sells penetration testing tools, we’re the first people to acknowledge that software and hardware alone are not enough to manage a massive enterprise security program. You need security professionals and experienced leaders who can keep the team (and the tools) operating effectively. Just as a professional contractor can make an old kitchen look like new, a security professional can help you put the proper protocols and processes in place.
A great example of relying on tolls and not on talent can be seen in Target. They invested heavily in high-end security tools. Everyone in the security industry knows they had FireEye in place, and when an intrusion was detected, it worked just as it was supposed to. It identified the issue, but nobody within the security team ever addressed it. While they had the right tools in place, they didn’t have an effective process for responding to the red flags the tools were generating. Perhaps the biggest indication that they valued tools over know-how was that they didn’t have a chief information security officer (CISO) in place. Without a leader who has visibility into the entire security operation, who would be responsible for implementing and maintaining those essential protocols and processes?
For some reason, corporations think nothing of bringing in professionals for finance related activities, human resources, training, etc. but are hesitant to spend money on true security professionals. I’m all for do it yourself and I am a big fan of both Home Depot and the weekend project. However, I am also a big believer that certain activities should be left in the hands of trained professionals. Taking on a small-scale security project? The right tool might be enough to get your team by. Running a major enterprise security program? You better have experienced leadership in place to tackle that job.