In the aftermath of the most damaging retail breach in history, a CEO in the financial industry explained his company’s position on the issue:
“Look, unfortunately, the cybersecurity, as we’ve now pointed out for a year, is a big deal. It’s not going to go away. And all of us have a common interest in being protected. So this might be a chance for retailers and banks to for once work together as opposed to sue each other like we’ve been doing the last decade.”
The remarks were picked up by the AP, which quoted them in an article with the headline: “Target breach is a wake-up call.”
That CEO? JP Morgan’s Jamie Dimon.
We don’t need any more wake up calls. It’s a known fact that cyber criminals are stealing credit card data. Home Depot’s experience this week was just the latest example.
Without talking to anyone at Home Depot, I am certain we will hear from the company that the breach happened, but that they were also in full compliance with the industry’s PCI standards. We will also likely hear that they deployed extensive security monitoring systems and that they have been spending millions of dollars each year with a highly reputable security monitoring company.
Yet with all this investment, Home Depot still suffered a significant loss. The forensic investigators will explain this somewhat by highlighting gaps in the security program and we’ll all talk about the “lessons learned from the breach” and the areas where current security best practices and PCI standards can be improved. But, the truth is that it’s time for things to change.
This is not about ridiculing the unfortunate retailer of this week. We’ve seen enough CEO “perp” walks to last us for this cycle.
We have to change our security and compliance programs. The first test is for all retailers to read their Incident Response program plans. If page one says: “Wait for a call from Brian Krebs to notify you that you were breached,” your incident response plan is probably not very effective.
Every CEO I contact asks three basic questions:
How do I know if I am already compromised? What tests should I conduct – right now?
If my security team identifies issues, how would they know to inform me or others in our senior management? When would they notify us and what data would they present?
How do I instruct my CIO and CISO to assess our current risk posture and notify me and the Board on the measures that are justified to protect sensitive data and critical systems? How would I know if they are doing everything that is justified?
We (the security experts) need to align with the needs of our business and close the known gaps. Some of these breached retailers were great businesses that thought they were doing the right things (although lax standards become less excusable by the minute). We all have to learn from this breach.
Let’s look at fresh approaches to securing our customers. I think I can speak for most CISOs in stating that the willingness to talk about cyber risks has never been higher and the fear of corporate retribution for disclosing those risks is diminishing.
We all feel more welcomed to the board room. Now, we just need to communicate in a way that improves risk management.