Stop Hitting the Snooze Button

Rick Dakin, CEO, Co-founder and Chief Security Strategist

In the aftermath of the most damaging retail breach in history, a CEO in the financial industry explained his company’s position on the issue:

“Look, unfortunately, the cybersecurity, as we’ve now pointed out for a year, is a big deal. It’s not going to go away. And all of us have a common interest in being protected. So this might be a chance for retailers and banks to for once work together as opposed to sue each other like we’ve been doing the last decade.”

The remarks were picked up by the AP, which quoted them in an article with the headline: “Target breach is a wake-up call.” 

That CEO? JP Morgan’s Jamie Dimon. 

We don’t need any more wake up calls. It’s a known fact that cyber criminals are stealing credit card data. Home Depot’s experience this week was just the latest example.

Without talking to anyone at Home Depot, I am certain we will hear from the company that the breach happened, but that they were also in full compliance with the industry’s PCI standards. We will also likely hear that they deployed extensive security monitoring systems and that they have been spending millions of dollars each year with a highly reputable security monitoring company.  

Yet with all this investment, Home Depot still suffered a significant loss. The forensic investigators will explain this somewhat by highlighting gaps in the security program and we’ll all talk about the “lessons learned from the breach” and the areas where current security best practices and PCI standards can be improved. But, the truth is that it’s time for things to change.

This is not about ridiculing the unfortunate retailer of this week.  We’ve seen enough CEO “perp” walks to last us for this cycle. 

We have to change our security and compliance programs. The first test is for all retailers to read their Incident Response program plans. If page one says: “Wait for a call from Brian Krebs to notify you that you were breached,” your incident response plan is probably not very effective.  

Every CEO I contact asks three basic questions:

  1. How do I know if I am already compromised?  What tests should I conduct – right now?

  2. If my security team identifies issues, how would they know to inform me or others in our senior management? When would they notify us and what data would they present?

  3. How do I instruct my CIO and CISO to assess our current risk posture and notify me and the Board on the measures that are justified to protect sensitive data and critical systems? How would I know if they are doing everything that is justified?

We (the security experts) need to align with the needs of our business and close the known gaps. Some of these breached retailers were great businesses that thought they were doing the right things (although lax standards become less excusable by the minute). We all have to learn from this breach.  

Let’s look at fresh approaches to securing our customers.  I think I can speak for most CISOs in stating that the willingness to talk about cyber risks has never been higher and the fear of corporate retribution for disclosing those risks is diminishing.  

We all feel more welcomed to the board room. Now, we just need to communicate in a way that improves risk management.

Rick Dakin


Rick Dakin — CEO, Co-founder and Chief Security Strategist

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS