Neiman Marcus Hires First CISOMove Comes in Wake of Breach Affecting 350,000 Payment Cards
Luxury retailer Neiman Marcus has hired its first chief information security officer following its data breach late last year that compromised approximately 350,000 payment cards.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
Sarah Hendrickson, who joined the company Nov. 3, will "work to develop security and risk management programs, among other responsibilities," company spokesperson Ginger Reeder tells Information Security Media Group. The new CISO reports to Michael Kingston, the retailer's CIO, Reeder says.
Hendrickson most recently served as CISO at Children's Medical Center of Dallas.
Security Leadership a Must
The news sends a reminder that, at this point, every major retailer should have a CISO, says Julie Conroy, a security analyst at the consultancy Aite Group. "Without question, someone with C-level responsibility for a retailer's cybersecurity strategy is a must," she says. "As we have seen, the threat environment is progressing too fast for security to be a siloed effort or an afterthought."
The only reason a company should forego hiring a CISO is if their CIO is performing the function appropriately in managing the risk for their company assets, says Karen Evans, national director of the U.S. Cyber Challenge, a national cybersecurity workforce initiative, who also served as administrator for e-government and IT in the George W. Bush White House.
Evans says Neiman Marcus' new CISO needs to gain a clear understanding of the company's management structure, as well as the relationships between the CIO and the CEO and the board members. Hendrickson should also understand "her technical environment in order to mitigate residual risk from the improvements the company has been making since the breach," Evans says.
With the holiday season fast approaching, and the retail sector being hit hard with payment breaches, "it will be critical to have a good, resilient infrastructure and supporting management structure," Evans says.
Neiman Marcus in June launched its search for its first CISO, indicating that the candidate must have eight to 10 years of experience in a significant information security leadership role, according to a job description that was posted to the retailer's website (see: Neiman Marcus Searching for a CISO). In the job posting, Neiman Marcus noted: "The CISO will proactively work with business units to implement practices that meet defined policies and standards for information security." The posting also said the CISO needs to be able to work with executive management in determining acceptable levels of risks for the organization (see: Winning Support for Breach Prevention).
The security officer's responsibilities will include developing business-relevant metrics to measure the efficiency and effectiveness of the information security program, facilitate appropriate resource allocation and increase the maturity of the program, Neiman Marcus says.
Other duties for the CISO will include: developing and managing information security budgets; creating security and risk management awareness training programs for all employees; providing subject matter expertise to executive management on a broad range of information security standards and best practices; and ensuring security programs are in compliance with applicable laws, regulations and policies.
Neiman Marcus was hit with a malware attack that collected payment card data from its systems from July 16 to Oct. 30, 2013.
Visa, MasterCard and Discover notified the company that, as of February 2014, approximately 9,200 of the 350,000 compromised cards were subsequently used fraudulently elsewhere, Neiman Marcus said.
The retailer said that 77 of its 85 stores were impacted by the malware. "At these 77 stores, the malware was not operating at every register or every day during the July 16 - October 30 period," an FAQ on the company's site says.