I read the headline – Target’s Lack of CISO Was ‘Root Cause’ of Systems Breach – in the WSJ and thought this sounds like an article written by the Association of chief information security officers! But actually, it makes good sense. The theory is that the CISO’s task is to be able to clearly articulate the threats and risks in a way that the rest of her/his peers can understand and get. Makes sense.
A panel of experts at the Work-Bench Enterprise Security Summit noted that the absence of a chief information security officer was a “root cause” of the major computer systems breach at Target. Without a CISO, no one was able to articulate cyber risks to senior executives, said Karl Mattson, who worked at Target from 2008 until 2013, most recently as manager of cyber and global intelligence. “[Target] didn’t have an advocate at the C-level, as an executive, advocating for IT security investment.” said Mr. Mattson, now a senior vice president of technology risk management at PNC Financial Services Group Inc.
If Target’s senior management had known of such risks and what was at stake, they would have “made very different choices” of how they structured their organization, and how they invested in capabilities to defend the company’s data. Although Target didn’t have an “endless pool” of money to spend on IT security, its approach, nonetheless, was “very wrong.”
Target spokeswoman Molly Snyder said that Mr. Mattson did not work in Target’s corporate IT department and wasn’t here when the breach was discovered, and had no involvement with it or the resulting investigation. “He has no direct knowledge of what happened,” she said.
The lack of a CISO and a security-focused culture would eventually haunt the retailer. When Target’s intrusion detection software eventually picked up suspicious activity last year and alerted IT staff, the company did not immediately respond to the issue. The consequences were severe, with 40 million credit and debit-card accounts compromised. Target would fire its CIO and CEO, and hire a CISO. The company’s financials were particularly hit hard the last few quarters, as consumer trust in the company eroded.
“The reputation fallout for Target is substantial… and we’re almost a year after the fact,” said Mr. Mattson. “That particular breach struck a chord with people.”
Beyond building a security-focused culture, CISOs must be able to explain risks to senior managers and the boards who may not be tech savvy. Panelist David Hahn, vice president of corporate information security and risk at Hearst Corp., said that he lays out a narrative about how data may be compromised, drawing from media reports of breaches to drive the risks home. “I avoid metrics and try to tell a story,” said Mr. Hahn. Key to this is avoiding jargon that may confuse execs and board members.
Mr. Mattson said a CISO can be crucial to contextualizing cybersecurity risks into the risk management profiles that business managers are accustomed to. This includes discussing cyber insurance coverage and loss exposure. “IT has struggled for many years to translate vulnerabilities and cyberthreats to the business audience,” he said. “Making these issues business as usual for risk management in the decision structures… is the challenge.”
By Clint Boulton