The fallout from last year’s Target data breach continues. Late last month, the Wall Street Journal reported that Institutional Shareholder Services (ISS) has taken “the unusual step of recommending that Target Corp. shareholders oust seven of the company’s 10 directors, citing what it called the board’s failure to manage risk and protect the retailer from a massive data breach.” The ISS “rarely recommends voting against a majority of the board,” according to the WSJ‘s Paul Ziobro, making this a particularly brutal new blow for the retailer. We spoke to CipherCloud Chief Trust Officer Bob West to get his opinion.
Do you agree with the ISS’s assessment that the Target data breach could have been prevented if not for corporate negligence?
Bob West: Absolutely, based on what I know. Let’s take a look at this systemically. They didn’t have a CISO. If you don’t have someone setting strategic direction, it’s tough to protect information consistently across an enterprise. In the absence of that, things are going to fall through the cracks.
Ultimately, the board of directors is responsible for making sure the right controls are in place across the enterprise. Clearly there’s a large number of board members that don’t understand what they need to do.
And on the other hand, everyone’s pretty smart. They have people they know, and it would have been relatively easy to say, “Who do you know who could give us some counsel?” Most board members sit on more than one board. Bottom line, there are a lot of resources that could have been taken advantage of to make sure that a) they understood what needed to be done, and that b) the right level of oversight was provided.
Bob West: Yes. Think of it from a technical complexity perspective, how big Target is. If you don’t have a strategic approach and you don’t have clear direction to protect such a large environment, it’s not going to get done. And the only way it’s going to get done is if you have someone leading the way at the executive level, and, as importantly, someone that has access to the executive team and board. You have to have someone at the executive level that’s driving information protection strategy. It’s not to say that that in and of itself would have solved the problem, but in the absence of having someone setting corporate strategy and protecting information, it becomes really hard to minimize risk to the organization.
There was a Ponemon study done that measured the influence various factors have on the cost of a data breach. The study found that having a CISO appointed had a negative impact on the cost of data breaches—that is to say, it reduced the cost of data breaches.
Source: Ponemon Institute – 2014 Cost of Data Breach Study: Global Analysis. The full survey is can be accessed here.
What can other organizations do to prevent a repeat of the Target data breach?
Bob West: The first thing is to have someone that’s leading the way. Have a CISO in place, or a CSO. That’s a starting point. The next component is to have the right foundational level of governance over the information security program. The board is the highest level, but then you also typically have a governance committee over the program that’s made up of people at the right level across the enterprise—human resources, legal, compliance, business, technology, audit—there’s this whole cast of characters that needs to be there.
It’s leadership. It’s setting the right direction. There are a lot of people who have grown up in the tech world, and their instinctive reaction is “What’s the tool I need to buy?” when, in fact, managing human behavior is the ultimate objective. You can have the right technology in place, but if people don’t use it properly, the probability of protecting information at the right level will go down.