We might be heading into summer, but the repercussions of last winter’s Target breach continue. The latest development: Gregg Steinhafel, the chairman and chief executive of Target, has resigned after being with the company for 35 years. This follows the resignation of chief information officer Beth Jacob.
The breach, which exposed the payment data of 40 million Target customers and the personal data of an additional batch of 70 million customers, has become a high-profile media story and a bellwether in the security landscape. At first glance, Target seems to be following the usual post-attack trajectory: an embarrassed brand, nervous customers, new security challenges and staggering expenses. But as the second-largest U.S. retailer, Target’s struggle to cope with the breach aftermath and build a stronger security culture contains valuable lessons that every organization should pay close attention to.
Consider what Target’s experience has taught us so far.
- Continually reexamine your security program. Target has committed to a radical transformation of its information security practices, an overhaul that encompasses technology, structure, operational processes and talent. This includes accelerating its adoption of chip-and-PIN technology for its own debit and credit cards and a reevaluation of its systems and leadership. (Target has admitted that its technology issued alerts of suspicious activity that went ignored.) What organizations can learn from this: staying vigilant against evolving threats means staying educated on the latest and greatest methodologies, and using existing technologies properly.
- Leverage your CISO. Target is also elevating the role of its CISO, a paradigm shift many companies would do well to imitate. Even though a CISO is a thought leader in security, many organizations fail to leverage their expertise sufficiently. By prioritizing risk management objectives and security controls when it comes to business strategy, organizations can empower the CISO with the right responsibilities and the right tools to protect the company.
- Make sure your security leads compliance. In an IT world where too many companies have this the other way around, this is a major lesson from the Target breach. Here’s the harsh truth: Target had a successful compliance audit just months before the breach. This is the perfect example of how compliance does not and cannot guarantee adequate security.
We’ve talked about this before . Your security program should be built from the ground up based on your organizational needs, and should account for components beyond compliance controls, such as non-digital threats and vulnerabilities. Compliance should be the byproduct of your security program – not the source of it. Remember, compliance offers only a minimal baseline of protection, which means it simply cannot offer an adequate roadmap to full security. Focus only on compliance and your cloud will have gaps in security. Please check our “Making Sense of Security & Compliance” webinar from last week for a more in-depth explanation if you didn’t get a chance to attend.
Though cybercrime is always a painful experience, each large-scale breach is an opportunity to learn and build a stronger security posture. Target’s actions so far have provided useful suggestions for any organization that wants to avoid its own breach. As time goes on, we may end up learning more lessons from Target or other organizations. Until then, consider what changes you can make to keep your own organization secure. Reassessment and evaluation should be an ongoing process and part of every corporate culture.