Target has announced that it is to hire a new CISO following the major breach and loss of the CIO and CEO.
According to Security Week, the company announced that it has hired Brad Maiorino as senior vice president and CISO. Maiorino will join the retailer on June 16th and will be responsible for the company’s information security and technology risk strategy and report to CIO Bob DeRodes who was hired by the company in April.
The news follows the announcement that Neiman Marcus, who also suffered a major breach, were on the lookout for their first CISO earlier this week.
Maiorino comes to Target from General Motors where he was the company’s CISO and information technology risk officer, and responsible for leading the transformation of the company’s global information security and IT risk organisation.
Maiorino said: “I am looking forward to joining the Target team and helping them continue the progress they have made to be a retail leader in information security and protection.
“I am confident that the combination of a strong team and the leadership commitment will enable us to achieve that objective.”
Brendan Rizzo, technical director for EMEA at Voltage Security, said: “The new generation of CISOs have the unenviable task of having to be visionaries, internal insurance salespeople and, all too often, scapegoats if things go wrong.
“An effective CISO must have the vision to stay ahead of the latest technological trends and threats, the political wherewithal to sell their vision internally, and the realistic understanding that, if they are not able to accomplish these tasks, their reign as a CISO may be short lived.
“CISOs are therefore quick to employ the latest industry best-practice approaches such as data-centric format-preserving encryption to give their companies the best possible defense against costly data breaches, even if they aren’t able to immediately uncover every possible threat to their companies’ sensitive data.”
However Martin McKeay, security evangelist at Akamai, told IT Security Guru that he thought this was not a good move as the new CISO will be reporting to the technical department rather than the business department. “He must be in the business department and be involved with them from the beginning,” he said. “Whatever decisions are made on new products or features, if he is not involved from the ground up how will it be done securely? How will he enable the business with mitigating risk? It is different from securing companies as you need to make security a core part of the business depending on your processes.”