Security Experts:

Sooner or Later You'll Get Hacked and Hire a CISO

I always thought the marketing campaign for AAA was genius; sooner or later you’ll breakdown and join AAA. A few wise individuals will hand over the cash when they proactively decide to curb their risk, and the rest will find themselves trying to sign up while stranded on the side of the highway. We’re seeing a similar storyline play out in the world of security. In our case, not only do we have a few insightful leaders recognizing the risk and others experiencing security system breakdowns – we are also seeing immense pressure from customers, regulators and shareholders.

IT Security LeadershipJust last month I wrote a SecurityWeek column titled: Are We Ready to Take These Breaches More Seriously Now? I talked about the Target breach and how this was the most recent example of serious fallout from security failures. In this case, Gregg Steinhafel, a 35-year veteran of the company was forced to resign amidst pressure from their massive pre-Christmas data breach. Therefore, it wasn’t much of a surprise when a couple weeks ago I read about Target Corporation hiring former GM chief information security officer (CISO) Brand Maiorino. In a press release on their website Target said the following:

June 10, 2014 – Today, Target Corp. (NYSE: TGT) announced it has hired Brad Maiorino as senior vice president, chief information security officer. 

Maiorino joins Target effective June 16 and will be responsible for Target’s information security and technology risk strategy helping to ensure that the company, its guests and team members are protected from internal and external information security threats. He will report to Bob DeRodes, executive vice president and chief information officer.

I certainly applaud the move. Anyone who has spent significant time in the security industry is aware of Brad and the credentials he brings to the table. My question remains however, what took Target so long to realize they needed someone like Brad in this position?

While I have been talking for years about the need to elevate the role of security in organizations, which a CISO helps you accomplish, there is another important reason for having someone in this position that probably isn’t talked about enough. That is removing the siloed approach to security from our organizations. Having that one person who is charged with security for the entire entity ensures that a holistic view is being applied.

When you examine the Target breach more carefully you will see that it wasn’t a breakdown in technology, but a lack of coordination and communication that ultimately led to the security failure. Target did not cheap out on their security, they had all the tools in place to raise the red flags that something was amiss. But there was no central point of security to pull all of this information together and create a clear picture that something was wrong and needed to be further investigated.

Now I’m not naïve enough to sit here and tell you that appointing a CISO will solve every problem in your organization or guarantee you will never suffer a breach. However, having a CISO not only solves the diffusion of responsibility problem by putting one person in charge, it also helps to transform the security culture in your organization. It encourages more executive involvement with the security process, as they have one C-level point of contact they can meet with to get an organizational view of security – not a bunch of breach statistics in bits and pieces.

Upon accepting the role at Target Corporation, Maiorino had this to say:

"I am looking forward to joining the Target team and helping them continue the progress they have made to be a retail leader in information security and protection. I am confident that the combination of a strong team and the leadership commitment will enable us to achieve that objective.”

A strong team and the leadership commitment. Those are the magic words for a successful security program right there. Too bad Target didn’t have a CISO uttering a statement like that one prior to suffering a major breach. We are definitely a society more prone to reacting than being proactive. However, when it comes to cybersecurity, that is a luxury we simply can’t afford. So hire a CISO and tear down the security silos.

Related Reading: Target CEO Exit Highlights Business Side of Security

view counter
Mark Hatton is president and CEO of CORE Security. Prior to joining CORE, Hatton was president of North American operations for Sophos. He has held senior roles with companies ranging from venture capital-backed, early-stage software vendors to a Fortune 500 information technology services and distribution organization. Hatton holds an MBA from Boston University, Massachusetts and a BA Communication from Westfield State College, Massachusetts.