Target Needs a CISO - Interested?Just Make Sure You Ask the Right Questions in the Interview
(Editor's Note: On April 29, Target announced the appointment of a new CIO and provided updates on its security strategies. Its search for a new CISO continues).
The pre-Christmas security breach at retail giant Target has put cybersecurity front and center in news headlines. Last month, Target's CIO announced her resignation. The retailer also announced plans to overhaul its security and compliance division, including the creation of a chief information security officer position to centralize information security functions, which were previously split among a variety of executives.
The most important questions to ask during the evaluation are: What are the acceptable risks, and what are the unacceptable risks?
While it may seem surprising to learn that a retail giant like Target did not have a CISO to centralize these functions, Sony was in the same predicament following its data breach in 2011, when the electronics giant said it would name a CISO as part of a plan to improve IT security. The Target breach exemplifies the importance of not only taking note of "lessons learned" after major data breaches, but analyzing them against your organization's security program so you aren't doomed to repeat the same mistakes.
Nonetheless, Target is looking to hire from outside the company, and the incoming CISO will certainly have a daunting task. Target will need someone who is up for the challenge and capable of handling the pressure of evaluating the entire security landscape of the global retail giant, asking tough questions and making changes to mitigate risk - all to help earn back the public's trust that Target offers a secure shopping experience for credit and debit card users.
First of all, let's evaluate what happened in the 2007 retailer data breach of TJX (parent company of TJ Maxx and Marshalls). Prior to the breach, its CIO had asked for additional data security resources and didn't get them. TJX's total estimated cost for their 2007 data breach, during which hackers stole information from 90 million credit and debit card accounts, was $1.6 billion over the lifetime of the case. I bet the additional data security resources TJX's CIO had asked for cost far less than the staggering costs associated with adjudicating customers after the breach. Target's new CISO should carefully consider the lessons learned from that situation (and others like Sony) to learn from those mistakes and more importantly, refrain from repeating them.
Ask the Right Questions
During the interview process, the prospective CISO should make sure to ask the right questions:
- Will I report directly to the CEO? Understanding reporting structure is critical to the level of authority of the position. It's also essential to how the CISO will structure his/her resources....which brings us to the next question.
- What level of importance will the company place on security going forward? Needless to say, after the massive breach, security should be one of Target's top priorities to rebuild their reputation for secure payment transactions and also to rebuild public trust. Understanding where security lies in the order of corporate priorities will also help the new CISO evaluate his/her level of authority at the cross-departmental juncture.
- What's the budget for enterprise security? The new CISO must not only understand the level of resources he/she will have to work with and where adjustments can be made during the overhaul, but how much the other executives are spending in their departments. It's essential to speak to the CFO to come to an understanding about numbers and if there's any flexibility in the budget. Although once the final bill is tallied of all costs associated with the Target breach, this will likely be a less challenging conversation.
Set Ground Rules
The prospective CISO should go into the interview with a game plan to ensure that the philosophy of the organization matches expectations for the position. This will also show that he/she is not only prepared for the position, but ready to hit the ground running. He/she can't be afraid to tell the hiring manager or CEO what they need to be successful in the new position.
The fact that this position is brand new to the company creates a new set of challenges and potential obstacles within the organization. The new CISO should define the specific duties of the role to the entire company, while emphasizing that they alone cannot be successful in the role without the support, cooperation and understanding of the entire company - from the cashiers all the way up to the CEO. Everyone has a role to play when it comes to security, and the new CISO's "likeability" is almost as important as his/her skill set.
Evaluate the Current Situation
Obviously, there is room for improvement in Target's overall security - this new position probably wouldn't exist if the glaring need hadn't been brought about in such a public manner.
Throughout the first 100 days on the job, the new CISO should find out what new policies, technologies and/or awareness training needs to be put in place. He/she must evaluate the entire IT infrastructure and ask: What are the priorities? What project plans are currently under way or coming up? What were the biggest failures that led to the breach? And finally, what can he/she do to mitigate future risks?
One particular area of focus should be the chip and pin card technology rollout, planned for completion by October 2015. In general, the U.S. payment card industry lags far behind global counterparts who've had secure chip and pin technologies in place for years now. In fact, some U.S. cards aren't accepted overseas due to their insecure, outdated magnetic stripe card technology. Walmart already has payment terminals capable of accepting these cards, but only some of them are activated in the U.S., particularly in areas that draw many foreign visitors. Customer awareness and demand for chip and pin card technology will eventually drive magnetic stripe cards out of existence. Hopefully Target's massive effort will spur widespread adoption throughout the nation.
The most important questions to ask during the evaluation are: What are the acceptable risks? And what are the unacceptable risks? All systems, networks and infrastructure have numerous risks, and it's impossible to mitigate all of them and run a business in the 21st century. It's the job of the CISO to collaboratively determine and recommend to business lines what risks are acceptable and what risks are unacceptable.
Take a Strategic Approach
Relationships and corporate buy-in are a critical part of any sound corporate security strategy. The new CISO should establish relationships with key executives and corporate stakeholders. He/she should program the board members, CEO, CFO and PR executive(s) into the speed dial function on their work phone and cell phone. The CISO will be an internal politician as much as anything else, so it's crucial he/she is well liked and approachable. The first person the CISO should invite to lunch is the CFO. It's important to lay the foundation for a strong relationship with the keeper of the purse strings to establish an open line of communication.
The new CISO should set a timeline for changes he/she believes are essential. Project managers should be involved in this process to track deadlines and involve key stakeholders for each project. The world will be watching to see when/if measures are actually put in place to make purchasing items from Target a secure, reliable process.
When it comes to changes, the new CISO should be realistic in the amount of changes he/she wants. We all know real change takes time. He/she must think about what will also work in the future, not just today.
Assume You'll Deal with a Breach Eventually
We can no longer ask the question: What will we do IF we are breached? The question we must start asking is WHEN we are breached, what will we do to mitigate damage? Despite our best efforts and the knowledgeable professionals we have in place, hackers are advancing faster than security professionals can keep pace. Criminal enterprises are going digital because the world is struggling to train and hire enough cybersecurity professionals to compete with the exploding hacker market, making the digital target (no pun intended) more appealing.
Target was undoubtedly one of the largest breaches we've seen to date, but it won't be the last. When Target does name their new CISO, he/she will have a long road ahead and one of the least envied jobs in the world. The first talk is probably the most important: Instill a mindset across the company that security is a business imperative that continuously demands respect.
As executive director of (ISC)Â², Tipton is responsible for the overall direction and management of the organization. He has more than 30 years of business experience, including more than five years as CIO for the U.S. Department of the Interior and 13 years as an engineer for Union Carbide Nuclear Corp. He received the Distinguished Rank Award for government service from the president of the United States. In 2014, CareersInfoSecurity recognized Tipton in its first-ever ranking of the top 10 individuals who made a substantial impact on infosec careers.