There have been an increasing number of articles and surveys about how corporate boards of directors should be more aware of threats posed by hackers—and board members are paying more attention to this issue. According to a recent article in the Wall Street Journal, the number of publicly traded American companies referencing the words “data breach,” “cybersecurity,” “cyberattack,” “hacker” or “hacking” in the list of risks they face rose from 879 in 2012 to 1,517 by June 2014.
Considering the increased space newspapers and TV news shows are devoting to stories about data breaches like the one at Target in the fourth quarter of 2013, this would appear to be a reasonable response to a growing problem. But what role does the board really play?
Anyone familiar with the Control Objectives for Information and Related Technology (COBIT) will recall this widely used framework is “for the governance and management of enterprise IT.” And solid IT policies, procedures and practices will always be the foundation of any successful effort to secure enterprise data. Security has to be in the IT bloodstream—and that requires diligence on the part of the leadership team.
So what happens when that’s not the case? Remember Target? Sometimes we need to learn from others’ mistakes. I don’t intend to single out Target. Everything that happened to them could just as easily have happened to another retailer. Let’s consider how Target responded once the breach became front-page news. Also, pay attention to the board’s posture toward data security prior to the breach.
Since the breach at Target exploited weaknesses in the point of sale system, Target decided to spend approximately $100 million on “chip-and-pin” (EMV) credit card technology. And that’s great, because EMV technology is more secure than the magnetic stripe cards dominant in the U.S.
Unfortunately for Target, highly respected security blogger Brian Krebs says this fix doesn’t address the problems that led to the breach in the first place. From a security standpoint, Target needed end-to-end encryption: encryption at rest and encryption in transit.
This brings up the question of why Target is fixing a problem that doesn’t address the security issue. We’re not privy to the discussions of Target’s board of directors when it was making that decision, but it’s worth noting that Target didn’t have a chief information security officer (CISO) or chief security officer at the time of the highly publicized breach—and the company still didn’t have one when discussing what steps to take to secure its data afterward. However, on June 11, 2014, Target did hire Brad Maiorino from General Motors as its CISO.
In this type of situation, it’s hard to make a good decision without the technical knowledge and experience to analyze the issues at the heart of a data breach. And even if Maiorino had been hired immediately, it would still have been too late. It takes time to understand an organization’s technical aspects and the maturity of its security stance. It also takes time for the board to gain trust in the CISO’s decision-making ability and technical understanding. In other words, a CISO has to be hired before the crisis to be effective.
One other item we can learn from Target: how to structure the reporting of the CISO. Maiorino reports to Target’s new chief information officer (CIO), as opposed to, say, the chief financial officer. One commentator said this was a statement of confidence in new CIO Bob DeRodes, which may well have been the intention.
Why would that be a problem? Well, the CIO has to make difficult technology budget decisions—often balancing the need for revenue-producing systems versus the more defense-oriented security systems a CISO is likely to champion. And, after all, Target just spent $100 million to address their security concerns, right?
If information security is to have the ear of the board, there must be a conversation in the board room. If that conversation happens in the CIO’s office instead, how does the board know it has heard all the relevant issues, risks and opinions about the importance of those risks? And perhaps more importantly, how do board members know they’re considering the appropriate responses to those risks? It’s something to think about. And we’ve already seen what can happen when the board doesn’t pay enough attention to the governance of information security.
Latest posts by David Powis-Dow (see all)
- The Inevitability of Cyber-Attack - December 3, 2014
- How Does Governance Impact Information Security? - September 10, 2014
- IT Change Management Survey Finds Many Changes Are Undocumented - June 16, 2014