The most recent development involves the resignation of Target's CIO, Beth Jacob. Rather than addressing the fundamental issues in Target's security program that contributed to the breach, Target leadership opted for a C-Suite shakeup. And, Target sacrificed an individual who was not the information security officer, which is evidence that Target's security program suffered from another common error: thinking that information technology and information security are synonymous. To be sure, there is a large technology component to information security and the two teams work closely together. But, the two disciplines are distinct in their scope and mission, confusing or combining them substantially increases the potential for security gaps.
That is not to minimize the role that IT contributes to information security, but to recognize that IT has a set of objectives separate from information security. Much of ITs focus is on evaluating new technologies and implementing them in support of the company's operations. Increasing efficiency, reducing costs, maximizing network assets, ensuring interoperability, managing a wide array of physical devices and software licensing and developing or vetting new software platforms are all primary among IT's functions. The IT department also must keep the network working efficiently, which can sometimes be at odds with securing the information.
As an example, one decision often made by IT is to remove log files before they overload a server. This supports the IT goal of having an efficient network. A security professional will see log files as important artifacts and require that they be retained, and together IT and information security will form a plan to retain the files somewhere other than the server so that both goals are met. That is just one example of how Information Technology teams are responsible for a range of objectives, many of which differ from Information Security.
Because IT is focused on reliable infrastructure and getting the most out of every network component, expecting them to objectively evaluate potential lapses in security often is counterintuitive, particularly when closing those gaps may conflict with optimizing the available infrastructure assets. Asking IT to evaluate the security of a system they built is akin to asking college students to grade their own assignments. They don't lack intelligence or desire, they are just focused on a different area of knowledge and need someone who does have specialized expertise to provide an opinion.
A chief information security officer's (CISO) mission extends beyond technology and focuses on factors that could compromise the security of the organization's data assets. Gaps may lurk in technology or in process or in administrative controls. The CISO must evaluate these types of issues objectively, and work alongside IT to balance technology's usefulness to the organization with the company's obligations to protect its data.
Data breach risks must be addressed across the organization, by IT and other organizations working with InfoSec. In the case of Target's exposure, many factors came together to create an opportunity for a breach. For retailers watching these developments, several key points are worth noting.
One such lesson is that any vendor with network credentials should be prevented from accessing sensitive data that is outside the scope of what is required to do the job. For those vendors who are granted network access, provisions should be included in their contracts that stipulate the terms of that access and that outline their responsibilities both to prevent a breach as well as to respond to any suspected exposure. In addition, the proper segregation of data—more a data retention/management function than an IT task—must be closely administered to ensure sensitive data isn't inadvertently exposed.
A final note about Jacobs' resignation is that the decision to replace her with an interim CIO, rather than to keep her and pursue establishing a CISO within the Target organization deserves examination. Effectively managing a retailer's data breach risk profile requires security expertise and experience and the ability to work with IT, operations, legal, and other departments to craft an overall security program.
From what we know of the Target story, the security technology tools at Target were solid. Target suffered from a security incident response plan that did not escalate a warning appropriately, a lack of contractual provisions on third-party access and responsibilities, and a lack of vendor due diligence that confirms each vendors' security is aligned with their access to sensitive data. By placing responsibility for InfoSec within the IT organization, as Target has done, retailers are setting themselves up for problems down the road.
Deena Coffman is CEO of IDT911 Consulting.