Monday, 12 May 2014

CEO's, please start taking responsibility for Data security seriously

Target Corp. announced on the 5th of May 2014 that CEO Gregg Steinhafel has stepped down from his position, effective immediately, the news came less than five months after it was discovered the retail giant had been struck by a massive data breach.

Mr. Steinhafel's de-facto dismissal from his $23 Million dollar position is  a turning point for information security and a signal to the C-suite and CEO’s in particular that Information-Security must be taken seriously or they will face the consequences.

The Target data breach saga resulted in the loss of up to 40 million credit and debit cards and the loss of personal information of up to 70 million customers (figures vary from source to source). Target is now the subject of dozens of lawsuits, several congressional hearings, and as you would expect the stock has taken a beating.

Mr. Steinhafel's resignation followed former Target CIO (Chief Information Officer) Beth Jacob's exit in March this year. Ms. Jacobs was responsible for overseeing the company's IT security program; however it is important to note that the company did not create the position of CISO (Chief Information Security Officer). It also important to note that Ms Jacobs started at Target as an assistant buyer and due to her undeniable commercial competence rose through varied VP positions until she was named senior VP and CIO of Target Technology services. She was promoted because she was a very good commercial manager rather than because she had in-depth knowledge of cyber crime and Info-Sec management. It is likely her brief was to focus on monetising e-commerce rather than securing corporate and customer data.
Beth Jacobs

Bob DeRodes, Ms Jacob's replacement is the real deal in technical circles. He has been tasked with handling Target's ongoing security efforts, including the hastened switch to a chip-and-pin payment infrastructure. Bob, unlike Beth is an acknowledged expert in Information security and has been a senior information technology advisor for the Centre for CIO Leadership, the U.S. Department of Homeland Security, the U.S. Secretary of Defence and the U.S. Department of Justice. By making this appointment the Board at Target have sent a signal signalled that they realise the level of technical expertise required to effectively manage a corporations Cyber Security. Hopefully we will no longer see successful marketing, sales or operations VP's promoted to the CISO seat because of excellent performance in other roles. Would a successful sales VP get promoted to Chief Legal Officer? Unlikely, unless of course they were successful corporate Lawyers as well as great sales people..

Bob DeRodes
What the target breach means to CEO’s!

Mike Rothman, analyst and president for Phoenix-based security consultancy Securosis, said "I'm pretty shocked that something like this would take out not just the CIO, but the CEO, and a 35-year guy at Target at that," Rothman said. "you've had so many public-facing companies that went through things like this and the leadership survived. That's something I have not seen."

John Kindervag, vice president and principal analyst at Forrester Research, agreed with Rothman that it was unprecedented for a CEO to resign because of the Target event, but said that such action is long overdue for companies that experience major breaches, particularly when, in his view, executives remain uninterested in implementing proper security procedures.

Even though Target had deployed top-of-line security equipment from established vendors, including FireEye Inc. and Symantec Corp, and also established around-the-clock security operation centres to manage its security technology they failed to follow the basic tenets of the Payment Card Industry Data Security Standard and showed an inability by its now-outgoing execs to take security processes seriously.

The CISO of any organisation is in the front line for blame and is not the place for the faint hearted. The fact that there was no CISO at Target means the CEO did not understand the risks or if he did then was negligent to ignore them. For this reason alone the CEO deserved to go
What actions should CEO’s take?

CEO’s, seeing one of their peers dismissed should worry them into action. When a competent CEO with a track record going back 35 years loses his career it sends a message to all CEO’s that the buck stops at their door. The first thing they need to do is ensure the position of CISO is established and carries the requisite technical knowledge, power as well as the responsibilities. If a person is put in a position where they can be made a scapegoat the least that can be done is to allow them a fair chance of success. 

The CISO should carry out a risk assessment of all IT infrastructures within the organisation. This means taking stock of all its information assets, what risks are being assumed with that purchased software, and so on. 

For a large-scale organization like Target that process will take at least one or two financial quarters, however it is hard to make any specific roadmap for a security program until a gap analysis of the entire infrastructure is conducted and an assessment made regarding how good or bad the infrastructure is. With most large organizations there isn't a central place to find out and the hardest part is piecing everything together.

The initial compromise at Target was a sophisticated weapons grade malware attack that came through a HVAC vendor, A CEO who is not aware that his organisation can be compromised through the unwitting help of one of his air conditioning vendors needs to get up to speed on the threat landscape. If he or she doesn't have a reasonable grasp of the Cyber landscape then the resource will not be forthcoming for the CISO to combat cyber threats. 

I can just imagine the reaction of most C Suite executives if they were told one of their Air Conditioning Vendors could destroy their fortune 500 company. Disbelief, hilarity, jokes in poor taste, all of the above! Executives who don’t understand the realities of doing e-business in the modern world need to be retrained. There are many resources for this training and even the The Department of Homeland in the USA have an E-MBA course designed for senior execs, oblivious to e-security because through no fault of their own they finished their education when office computers were a novelty.

What’s next?
According to a Ponemon Study in 2005 the leading Cause of Data Security Breaches in corporate security was caused by outsiders hacking in but rather due to negligent, incompetent or even malicious Corporate Insiders. Unfortunately not a lot has changed a more recent study by Symantec showed that three quarters of all recent data breeches could be traced to human error inside the corporation. Human error includes the exec that uses his dogs name and house door number as his password for everything and boasts about doing so. 

The BYOD trend in business smartphones is another glaring example of turning a blind eye to security. A mid to high end phone has more storage capacity than a laptop from a few years back. Every sales contact, customer, contract, product specification etc. can be stored on the device yet unapproved apps can easily strip that information from the phone. Research by Soluto shows that up to 71% of business smartphones are unsecured or badly secured

If executives can’t imagine how their non secure smartphone is a security risk then they will struggle to understand a sophisticated malware attack through a third party facilities supplier?

Can your Smartphone be hacked? ask Angela

The only way back to safe ground in the war against cyber breaches is through educating CEO’s and the executive team to the risks of cyber breaches and hand the power and responsibilities for corporate security back to trained and competent individuals. These individuals (CISO’s) should constantly carry out an objective risk based assessment of corporate cyber security. The CISO's job is difficult to begin with, controlling cost and enabling business while managing risk is a highly skilled job that requires unpopular decisions and laser sharp focus. The job can be made impossible without a CEO's unstinting support.

The cost to Target will probably be up to a Billion dollars. This occurrence is another wake up call for corporations and should be heeded before its too late.