Attacks/Breaches
3/6/2014
03:00 PM
Connect Directly
RSS
E-Mail
50%
50%

Target CIO's Resignation: 7 Questions

After the data breach, why didn't the buck stop with PCI assessors or CEO? Search for accountability reveals flawed system, much finger-pointing.

considering CIO, CISO, or chief compliance officer roles at Target? "The moral of this story is, if you're in IT, don't go into retail," said Gartner's Litan. "Although the attackers are going everywhere," she added, noting that the retail industry is hardly the only sector being pummeled.

5. Will payment industry step up to stop POS malware?
Target's technology and risk reorganization aside, Litan said that the relative ease with which attackers can compromise POS systems doesn't only come down to the health of a retailer's information security program. "It's unfair to expect retailers to be able to fight this type of sophisticated malware," she said. "Even the security companies miss this type of malware." Litan continued, "It's really the payment systems themselves that have to change." Don't expect a working solution to the problem unless the payment card industry steps up.

6. Will PCI assessors take responsibility?
Likewise, part of the blame for Target's breach may lie with whichever Payment Card Industry Qualified Security Assessor (PCI QSA) certified Target as being compliant with the Payment Card Industry Data Security Standards (PCI DSS). "What about the QSA? No one ever talks about these PCI assessors," Litan pointed out.

She also criticized PCI assessors for having language in their contracts that precludes them from being held liable if a certified business they've certified as PCI-compliant later suffers a breach. "Why should the assessors escape liability? They're the third-party experts who are certified to achieve PCI compliance -- the CIO never went through PCI certification," Litan said. "That's why this process is so flawed. It's just stacked against the retailers and stacked for the banks and PCI players. They don't lose anything from these breaches, except for public reputation."

7. Life after Target for Jacob?
With Jacob's tenure as Target's CIO finished, will the retailer's data breach ruin her future career prospects? Co3's Julian said that in fact, the opposite will likely be true. "Frankly, it's been proven that the speaker's circuit is a great place -- honestly -- for people to talk about the experience, and lessons learned, and all the rest," he said. "On top of that, often these people end up at a different CIO gig, or at some type of a consultancy, so this is not necessarily career-limiting at all."

Engage with Oracle president Mark Hurd, NFL CIO Michelle McKenna-Doyle, General Motors CIO Randy Mott, Box founder Aaron Levie, UPMC CIO Dan Drawbaugh, GE Power CIO Jim Fowler, and other leaders of the Digital Business movement at the InformationWeek Conference and Elite 100 Awards Ceremony, to be held in conjunction with Interop in Las Vegas, March 31 to April 1, 2014. See the full agenda here.

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter. View Full Bio

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Laurianne
50%
50%
Laurianne,
User Rank: Apprentice
3/10/2014 | 2:40:52 PM
Re: Where is the CEO's responsibility?
Who would you put in charge of security if not the CIO?
ThomasW784
50%
50%
ThomasW784,
User Rank: Apprentice
3/10/2014 | 2:07:13 PM
Re: Where is the CEO's responsibility?
Yes, JREY146's post is the article that Information Week should have written.

Target decided as a matter of business strategy to run the risk of customers' data loss rather than incur the cost of duely diligent security. 

OK, part of being in the C-suite (CIO in this case) means falling on your sword, or agreeing to be pushed on it. But this is classic scapegoating. Candidates to fill the CIO position will want to ask whether Target is going to give data security higher priority than before, and whether they'll spend the money to make it so.

It's also time for the rest of the e-commerce world (banks, credit card companies, regulators...) to admit that core data losses are a different kind of problem, not the same as the slow trickle of individual identity compromises, and stop treating all data losses as just the cost of being in this business.
marylori
50%
50%
marylori,
User Rank: Apprentice
3/10/2014 | 3:08:20 AM
Garcinia Cambogia Pro
 

Thank you for broadening my knowledge on this aspect to groom up my skills here.

 

Garcinia Cambogia Gold  / Garcinia Cambogia Pro
JFREY146
50%
50%
JFREY146,
User Rank: Apprentice
3/9/2014 | 4:10:48 PM
Where is the CEO's responsibility?
Isn't it the CEO's responsibility to run the company?  For years Cybersecurity has been on the forefront, when are CEOs and their C-suite pals going to wake up and realize that putting the CIO in charge of information security is like bringing an Accountant to a murder trial?  Information Security is not a tehcnical problem, it is a business problem and should have a strategy that aligns with the business along with representation at the C level.  Additionally, boards of directors are ultimately responsible for the business (with delegation to the CEO).  They should be demanding these organziational alignments, regular updates, etc.  Doing all this will not stop the breaches 100%, but it will make them much more secure than they are now...
NielH146
50%
50%
NielH146,
User Rank: Apprentice
3/7/2014 | 5:18:50 PM
Re: Retail IT security woes
If you think she resigned of her own choice, you are kidding yourself.  This was not about taking accountability, this is about Target firing her under the guise of her resignation. 

 
MyW0r1d
100%
0%
MyW0r1d,
User Rank: Apprentice
3/7/2014 | 10:30:46 AM
Re: Retail IT security woes
As long as they "are" smart CIOs.  She had a long history with Target, back to 1984 if I recall her bio correctly, a degree in retail sales and MBA which means she knew the retail industry from Target's point of view and it is important to provide a path for your best employees.  That does not always translate however to being able to manage and fully understand technology's risks/security.  30 years in the same company also promotes tunnel vision.  In smaller companies, you might be able to get away with running on autopilot (as one of my bosses once said, promoted beyond his level of competence) but as one of the largest, leading retailers they should have had a CIO with CIO credentials.  Hiring CISO and audit/compliance professionals is a step in right direction, after leaving the barn door open.
WKash
50%
50%
WKash,
User Rank: Apprentice
3/6/2014 | 5:07:04 PM
Assessors
You raise a good point about the PCI assessors. Not holding assessors accountable in some way is the moral equivalent of letting an auditing firm off the hook in the face of corporate fraud. Hopefully enterprises haven't forgotten the lesson of Enron and Arhur Andersen.  Now that government sector is embracing third party assessors with FedRAMP, the role of IT / security assessors is likely to become more important (and probably more competitive.)  In the meantime, it's hard to believe Target is only now looking to hire a CISO.  Just goes to show,  risk management still doesn't prepare you for Black Swan events.

 
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
3/6/2014 | 4:45:18 PM
Re: Retail IT security woes
Is may be worth asking why other CIOs have remained in their jobs after major breaches. After all, this is hardly the first massive data breach or organization that has been compromised.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
3/6/2014 | 3:56:59 PM
Re: Retail IT security woes
Personally I find it refreshing to see a leader take ownership of what happened on her watch. Is it fair? Well, as we all know, life isn't fair. But the US could do with more accountability by top leaders.
Laurianne
50%
50%
Laurianne,
User Rank: Apprentice
3/6/2014 | 3:19:18 PM
Retail IT security woes
Don't go into retail? If the smart CIOs walk away from retail, we're in trouble. Turnaround experts have an opportunity here, right?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5619
Published: 2014-09-29
The Sleuth Kit (TSK) 4.0.1 does not properly handle "." (dotfile) file system entries in FAT file systems and other file systems for which . is not a reserved name, which allows local users to hide activities it more difficult to conduct forensics activities, as demonstrated by Flame.

CVE-2012-5621
Published: 2014-09-29
lib/engine/components/opal/opal-call.cpp in ekiga before 4.0.0 allows remote attackers to cause a denial of service (crash) via an OPAL connection with a party name that contains invalid UTF-8 strings.

CVE-2012-6107
Published: 2014-09-29
Apache Axis2/C does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2012-6110
Published: 2014-09-29
bcron-exec in bcron before 0.10 does not close file descriptors associated with temporary files when running a cron job, which allows local users to modify job files and send spam messages by accessing an open file descriptor.

CVE-2013-1874
Published: 2014-09-29
Untrusted search path vulnerability in csi in Chicken before 4.8.2 allows local users to execute arbitrary code via a Trojan horse .csirc in the current working directory.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.