Target to Hire New CIO, Revamp SecurityRetailer Also Adding a CISO in Wake of Massive Breach
In the wake of its massive data breach last year, Target Corp. is overhauling its information security and compliance practices, launching a search for a new CIO and creating the position of chief information security officer, says CEO Gregg Steinhafel.
See Also: 2016 Social Engineering Report
"While we are still in the process of an ongoing investigation, we recognize that the information security environment is evolving rapidly," Steinhafel says in a statement provided to Information Security Media Group. "To ensure that Target is well positioned following the data breach we suffered last year, we are undertaking an overhaul of our information security and compliance structure and practices."
The first step in that overhaul is conducting an external search for an interim CIO to replace Beth Jacob, who resigned March 5. Jacob had served as CIO since 2008, according to her company biography.
In a letter to Steinhafel obtained by The New York Times, Jacob said her resignation was "a difficult decision," but noted that "this was a time of significant transformation for the retail industry and for Target."
Hiring a CISO
Steinhafel reveals in his statement to ISMG that Target is now "elevating the role" of its chief information security officer and hiring outside the company to fill the position. Target also plans to initiate an external search for a chief compliance officer, he says.
Target is working with Promontory Financial Group to "evaluate our technology, structure, processes and talent as a part of this transformation," Steinhafel adds.
Until now, Target's information security functions have been handled by a variety of executives, The New York Times reports. Bringing on a new CISO is expected to centralize the company's security responsibilities.
Compliance duties had previously been overseen by Target's vice president of assurance risk and compliance, who plans to retire at the end of March, according to The Times. Target is now separating the responsibilities for assurance risk and compliance.
On Dec. 23, Target confirmed malware was to blame for an infection of its point-of-sale system that likely exposed details associated with 40 million debit and credit cards between Nov. 27 and Dec. 15. The breach also affected personal information on up to 70 million customers.
The security incident contributed to a 46 percent decline in the company's net earnings in the fourth quarter of its 2013 fiscal year.