Target Names Its First CISO
Formerly Served as InfoSec Leader at GM and GETarget Corp. has chosen the former leader of information security at General Motors and General Electric as its first CISO. The move comes in the wake of a massive data breach last year that exposed 40 million credit and debit card accounts and the personal details of 70 million customers.
See Also: New OnDemand: How CISOs Can Ace Cyber Risk Reporting to the Board and the SEC
Brad Maiorino will join the retailer June 16 as senior vice president and CISO, the company confirms in a June 10 statement. Maiorino will be responsible for Target's information security and technology risk strategy.
Maiorino will report to Bod DeRodes, executive vice president and CIO, Target says. DeRodes was appointed as CIO on May 5 (see: Target Hires New CIO).
Target's new CISO was GM's chief information security and information technology risk officer. He was responsible for leading the transformation of the automaker's global information security and IT risk organization. Previously, he was CISO at General Electric.
"Having led this critical function at two of the country's largest companies, [Maiorino] is widely recognized as one of the nation's top leaders in the complex, evolving areas of information security and risk," DeRodes says. "As an organization, we have made a commitment to our guests and our team that Target will be a retail leader in information security and protection. We believe [Maiorino] is the right person to lead that charge."
The creation of the position of CISO was announced by ex-CEO Gregg Steinhafel following the breach (see: Target to Hire New CIO, Revamp Security). On March 5, the company announced that it was overhauling its information security and compliance practices.
"I am looking forward to joining the Target team and helping them continue the progress they have made to be a retail leader in information security and protection," Maiorino says. "I am confident that the combination of a strong team and the leadership commitment will enable us to achieve that objective."
Target's announcement on selecting its new CISO came just one day before the company's annual shareholders meeting. A recent report prepared by Institutional Shareholder Services, which works on behalf of institutional shareholders regarding corporate governance, risk and proxy voting, recommended that seven out of 10 board members be replaced for their failure to provide adequate oversight of ongoing efforts to address cyber-risks (see: Target Breach: Hold Board Responsible?).
Analyzing the New CISO Hire
The timing of Target's announcement could serve as a strategic move ahead of the company's June 11 shareholders meeting. "The fire was stoked pretty well by ISS, but complementing the recent hiring of DeRodes [as CIO] with that of Maiorino should send a strong signal that Target has gotten its IT security house in order," says Al Pascual, fraud and security expert at Javelin Strategy and Research.
"Both have experience working at large organizations and were tasked with overseeing systems with sensitive data that was critical to the success of those organizations. Critics couldn't ask for much more from these new assignments."
The appointment of Target's first CISO comes at a time when the company is working to repair its reputation and address falling revenue. "The general public needs a reason to believe they are really taking security seriously to start feeling confident shopping there again," says Shirley Inscoe, a security and fraud analyst at Aite Group. "Hiring a person with experience at two previous large companies gives instant credibility."
Inscoe says Target made the right move in hiring someone from outside the retail sector. "With all the ongoing data breaches at retailers, consumer confidence that retailers take information security seriously enough is low," she says.
Francoise Gilbert, privacy attorney at the IT Law Group, notes that Target has lost market share because of the breach. "To regain consumer confidence, it needs to show action," she says. "The appointment of an experienced CISO is certainly a step in the right direction."
Gilbert says the new CISO needs to take several immediate steps. For example, Maiorino needs to learn the data flows and data uses within the company "so that he can identify the areas at risk and prioritize the actions associated with the development of a solid security program," she says.
"From a risk management standpoint, I would suggest that the new CISO organize security awareness and training sessions within the company to increase the probability that security vulnerabilities are identified and reported quickly."
Hord Tipton, executive director of (ISC)², says the new Target CISO needs to offer up a game plan to ensure that the philosophy of the organization matches expectations for the position (see: Target Needs a CISO - Interested?).
"The fact that this position is brand new to the company creates a new set of challenges and potential obstacles within the organization," Tipton says. "The new CISO should define the specific duties of the role to the entire company, while emphasizing that they alone cannot be successful in the role without the support, cooperation and understanding of the entire company - from the cashiers all the way up to the CEO."