Neiman Marcus, who suffered a breach of data that may have affected around 1.1 million credit cards, are on the lookout for its first chief information security officer (CISO).
According to the Wall Street Journal, the job was posted in late May to the Neiman Marcus careers website. Job responsibilities include creating security and risk management programs, giving security guidance for all IT projects and bulking up the company’s disaster recovery policies.
However a spokeswoman for Neiman Marcus told CIO Journal that while the position was new, she did not say who the CISO would report to. The ideal candidate, the job notice says, “is an integrator of people and processes, a thought leader, a problem solver, an effective consultant and should possess solid domain competency in the field of information security.”
Following headlines where the CIO of Target resigned following the breach, closely followed by the CEO Greg Steinhafel, Ian Pratt, co-founder of Bromium, said that it was “time for the industry to stop blaming CISOs and CIOs and start asking why, given our massive spend on security tools, attackers still get in”.
Tom Cross, director of security research at Lancope, said: “Although many organisations view their CISO as the person responsible for preventing security incidents from ever happening, even well protected organisations experience breaches.
“I think it’s more healthy and appropriate to view the CISO as the person responsible for ensuring that the organisation is adequately prepared for whatever attacks it may face. This includes taking the right steps to prevent foreseeable attacks from being successful, but it also includes taking steps to make sure that the organisation is equipped to respond professionally to successful breaches.”
After the attacks by hacktivists in 2011, Sony announced plans to hire a CISO, with former director of the US National Cyber Security Center and Microsoft employee Philip Reitinger appointed.
Asked if the situation could have been avoided had a CISO been in place, TK Keanini, CTO of Lancope, said it depends on the CISO. “The level of leadership an organisation needs when they are new to doing business on the internet is of superhero levels,” he said. “This CISO has to completely change the mindset of the business, their suppliers, and their customers; because everywhere the business touches is a target for these adversaries.
“Breaches are going to happen – the cultural change here is that the CISO must provide the leadership and transformation so that the organisation is ready and can respond in a way that ensures business continuity.
“A great CISO also attracts the industries best talent and this is an important resource when you consider the talent levels trying to attack your business. He or she should be graded on not only on how they avoid and minimise
these crisis situations but also how they behave and respond in times of crisis.”