Corporate security needs to be taken very seriously – especially in light of the fact that hackers can be nation-states, organized crime syndicates or other groups with significant resources. To date, companies in the US and elsewhere have shown they are vulnerable to attacks. And to be quite honest, with all the software which companies run, each with frequent updates and patches, corporate networks can seem more like Swiss cheese than Fort Knox.
Still, companies can and need to do more. They need to focus on the weakest links on their networks. Moreover, the fact that Target CEO was forced out of the company should signal other executives that securing corporate networks improperly is a career-ending mistake.
My colleague Peter Bernstein says the following about the situation:
As a statement from the Target board said, “He held himself personally accountable and pledged that Target would emerge a better company,” said the statement. “We are grateful to him for his tireless leadership and will always consider him a member of the Target family.” Steinhafel is remaining on as an advisor to the board, but his tenure as leader is over and prestigious executive search firm Korn Ferry has been hired to find a replacement.
“Where Target fell down and where all of their peers should be very concerned was not with their defensive measures (which were well-funded and thought to have been generally good), which actually detected the breach within a day of first compromise. This story is entirely about Target’s inability to 1) separate the real alarms from the noise, and 2) respond quickly, comprehensively and effectively to true cyber-threats. The vast majority of global businesses are in exactly the same position Target was (or even worse position), i.e., unable to manage incident response (IR) as a business process. Cyber-security vendors share more than a little of the blame, as many tout their wares as the cure to nasty things like the APT (Advanced Persistent Threat). But what good is technology if it neither tells users what alerts really matter, nor does anything to actually resolve them effectively?
The Target example will push global corporations and government entities to mature their IR posture. Incident response, which failed at Target, will become a key business process just like so many other operational processes, eventually being highly predictable, measurable and able to be relied upon every day. Incidentally, there is also a major push underway globally – the EU is already well ahead of the U.S. here – to codify breach notification, which will provide a legal IR requirement that does not exist today. That will expedite the maturing of IR processes even more.”
He believes that this situation will improve security at organizations and I hope he is right. Fredric Paul at NetworkWorld agrees and says the following:
I’m hoping that Steinhafel’s departure will be viewed-especially by folks in the executive suite-as a clear and unmistakable life lesson of the bad things that can happen to you if your company suffers a security meltdown, whether or not it’s actually your fault.
No more Teflon CEOs?
That’s a really big deal. American CEOs have rarely been held to account for even the biggest mess-ups, much less technology-related issues. Sure, Target’s missteps have already cost CIO Beth Jacob her job, recently replaced with high-profile security expert Bob DeRodes, who has been a senior technology adviser for the U.S. Department of Homeland Security and the Secretary of Defense, among other roles. But dumping a CEO over an information security issue seriously ups the ante.
If other chief executives are paying attention to the end of their peer’s career, there’s a chance that security will finally get taken seriously in the boardroom as well as in the data center. After all, if the ousting of the CIO and CEO of a major corporation–a household name–isn’t enough to get the attention of top execs, it’s hard to imagine what would be.
One area of concern which seems to not resonate in the market is BYOD security… IT has never had to deal with so many disparate devices which they don’t have control over. I suspect this will be a space ripe for hacking in the future and an opportunity exists now for companies to evaluate their weaknesses to ensure they aren’t the next two-part headline with the second part being the removal of one or more CXOs.