Neiman Marcus Searching for a CISOExperts Describe the Ideal Candidate to Aid Company Post-Breach
Neiman Marcus is looking to hire its first chief information security officer following the Dallas-based luxury retailer's high-profile data breach last year that affected 350,000 credit and debit card accounts.
The company says the candidate must have eight to 10 years of experience in a significant information security leadership role, according to a job description posted to Neiman Marcus' careers website.
"The CISO is responsible for establishing and maintaining an enterprisewide information security program to ensure that information assets are adequately protected," the job description says. "This position is responsible for identifying, evaluating and reporting on information security risks in a manner that meets or exceeds compliance and regulatory requirements."
Security experts say the ideal candidate for the position will need to have a strong background in compliance and business management so they can work with executive management to determine acceptable risk levels in the organization.
In the job posting, Neiman Marcus notes: "The CISO will proactively work with business units to implement practices that meet defined policies and standards for information security."
The CISO also needs to be able to work with executive management in determining acceptable levels of risks for the organization (See: Winning Support for Breach Prevention). "The CISO must be highly knowledgeable about the business environment and must ensure that information systems are maintained in a fully functional, secure mode."
The security officer's responsibilities will include developing business-relevant metrics to measure the efficiency and effectiveness of the information security program, facilitate appropriate resource allocation and increase the maturity of the program, Neiman Marcus says.
Other duties for the CISO will include: developing and managing information security budgets; creating security and risk management awareness training programs for all employees; providing subject matter expertise to executive management on a broad range of information security standards and best practices; and ensuring security programs are in compliance with applicable laws, regulations and policies.
This is the first CISO the company is hiring, according to The Wall Street Journal. Neiman Marcus did not immediately respond to a request for additional information.
The Ideal Candidate
Neiman Marcus' job description for a CISO likely will attract a person who is compliance-oriented, says Karen Evans, a partner at the management consulting service KE&T Partners LLC who previously worked at the Office of Management and Budget.
"The job description itself is focused on compliance and regulatory requirements vs. the strategic integration of threat information to protect their information assets," she says. "You would need a person who can ingest the specific threat information related to their industry and integrate that information to manage their information assets to an acceptable risk level."
The position will most likely attract ambitious managers who understand information technology, says William Hugh Murray, a management consultant and trainer in information assurance specializing in policy, governance and applications. "[It] requires a seasoned executive who understands retail and the Neiman Marcus culture and management system," he says.
The CISO will also need strong business acumen "to accompany technical skills to build a strong information security risk management program," Evans says. "The key will be to be prepared and [have] the ability to illustrate Neiman Marcus exercises due diligence when the next event occurs so they may properly respond to the incident."
Advice for the New CISO
Offering advice to the new CISO, Evans says the individual will need to look at the threat intelligence associated with the retail industry "in relationship to the assets you own and start there."
Other priorities the CISO should consider going into the job, Murray says, include requiring strong authentication for privileged insiders. "[Also], alerts and alarms should be distributed in such a way that each is seen by multiple people with the ability to recognize the need for corrective action," he says.
Hord Tipton, executive director of (ISC)Â², a not-for-profit organization that specializes in information security education and certifications, references his recent blog detailing the challenges the incoming Target Corp. CISO will most likely face in their new position, saying the new Neiman Marcus CISO will face similar challenges.
"The prospective CISO should go into the interview with a game plan to ensure that the philosophy of the organization matches expectations for the position," Tipton says. "This will also show that he/she is not only prepared for the position, but ready to hit the ground running. He/she can't be afraid to tell the hiring manager or CEO what they need to be successful in the new position."
In late February, Neiman Marcus revised downward its estimate of the number of payment cards compromised in its breach last year (see: Neiman Marcus Downsizes Breach Estimate). An investigation determined that the number of potentially affected credit and debit cards was about 350,000, down from the original estimate of 1.1 million.
The breach involved a malware attack on the company's network that was designed "to collect or scrape payment card data," the company says. The window of time malware was collecting payment card data from its systems was from July 16 to Oct. 30, 2013.