By now we’ve all heard about the epic Target data breach – a theft of up to 70 million credit and debit card records from the third-largest U.S. retailer. Many of us have also followed Target’s ensuing actions, such as announcing an overhaul of its information security practices and the resignation of its chief information officer.
According to Chief Executive Gregg Steinhafel, Target is committed to a radical security examination and transformation. As it dives deep into an evaluation of its technology and operational processes, one of the more noteworthy developments is Steinhafel’s decision to elevate the role of its chief information security officer in an effort to strengthen its security.
This pronouncement is probably music to the ears of security professionals for a few reasons. But before we get into those, I want to say that Target’s strategy here hopefully represents the harbinger of a new era in which the role of the CISO is elevated as a more strategic, central character in a company’s operations, strategy, and executive suite.
We live in a time when cybercrime is rampaging across the business landscape, intimidating consumers and damaging organizations. If ever there was a moment to rethink the role of a CISO, it is now. All of us could benefit from examining where CISOs sit in our organization historically and where they should ideally be positioned going forward, how their role interacts with the CIO, CEO, CFO, COO, and other senior executives, and how their expertise can result in more than just greater security and risk management – it can result in a more productive, fluid business.
Elevating the role of the CISO
The role of the CISO or CSO varies from company to company. While the CISO is clearly recognized as a thought leader in security, their brand as a business person is lacking. As a result, their actual responsibilities and capacity to protect the company fluctuate from organization to organization. Depending on their relationships with the CIO, CEO, CFO and COO, and the board of directors (if there is even a relationship), their companies’ business models, their risk management objectives, and security threat trends, their role is often valued and prioritized less than other senior leaders, much less understood. After all, security is typically an unsavory topic, and a job many executives and professionals would rather just not touch.
For instance, in some companies the CISO reports to the CIO. Sometimes they are in different groups. This is a relationship that can run into trouble, given that many CIOs lack a strong security background. Often the CISO doesn’t respect the CIO as a result. Only by respecting each other’s expertise, blending their complementary strengths and working as a team can they successfully protect the company and their customers. How often does this happen?
That might sound like common sense, but it’s a political dynamic that will take practical action and solid leadership to implement. An important first step is incorporating security and risk management into the business plan for growth and earnings, rather than viewing it as a reactive or back-office concern. Position security first, as an essential element of business strategy, and the role of the CISO is automatically elevated. Why? Because a proactive, thoughtful approach to security will recognize both the significance of cyberthreats and the advantages an empowered CISO can bring to the table. Businesses that treat security as a bolt-on emergency plan tend to relegate the CISO to a back-office, reactive function, instead of incorporating their knowledge into business decisions.
The Target breach was unfortunate. The company spent a considerable amount of money on compliance auditing, testing, and operations. But they were never fully secure. Like many companies, compliance became a checkbox that produced a false sense of security. It brought to light how severe and damaging cybercrime has become, but it also spotlighted how processes and corporate culture at any company can make it hard to step back and see an obvious opportunity for improvement. Look, no one wants to have weak security. And no one is more passionate about that desire than a CISO. For that very reason, it’s time to assign CISOs more influence and incorporate them deeper into their companies’ leadership, operations, and culture. They can help. They want to help. And they need to help.