US retailer Target finally gets its first CISO

That it often takes a data breach to get one is a sad reality for many companies, analyst says

US retailer Target has hired a new Chief Information Security Officer (CISO), a move that's noteworthy mainly because it is the first time the company has had anyone in this role ever even though it is one of the largest retailers in the U.S.

Target on Tuesday announced that Brad Malorino is its new senior vice president and chief information security officer. In that role, Malorino will be responsible for managing Target's technology risk strategy and for taking steps to avoid a repeat of the massive data breach at the company last year.

Malorino was previously the chief information security and information technology risk officer at General Motors, where he was responsible for overhauling the automaker's global information security organization, Target said in a statement.

Prior to GM, Malorino was CISO at General Electric. As Target's CISO, Malorino will report to Bob DeRodes, the company's recently appointed chief information officer.

Target's decision to hire Malorino comes about six months after the company disclosed a massive breach that exposed data on about 40 million credit and debit cards and personal data on about 70 million customers.

Target's security practices came under intense scrutiny following the breach, with many faulting the company for not having basic precautions in place for detecting and responding to the intrusion. The breach has already cost Target's former CIO Beth Jacobsen her job and was at least partly responsible for Target CEO Gregg Steinhafel's decision to step down as well.

Recently, Institutional Shareholder Services (ISS), a company that advises institutional shareholders on governance risk and proxy voting issues, said it wanted seven of Target's 10 board directors voted out for not paying enough attention to data security risks.

The report noted that Target's board should have been aware, even before the breach, of the possibility of theft of sensitive information given the company's size and the number of credit and debit card transactions it handles.

Consequently, the company's move to appoint a new CISO and a chief compliance office appears to be a case of too little too late, ISS noted. "The addition of these 'new' positions raises serious concern about how Target could have been running a business of its size and complexity without these permanent roles," the report said.

Target, though, is not the only large company guilty of such oversight.

Neiman Marcus, another big name retailer that suffered a recent data breach, is also only now looking to hire a CISO. In a recent job ad, the company said it is looking for a vice president and chief information security officer to establish and maintain an enterprise-wide information security program.

The position will be responsible for "identifying, evaluating and reporting on security risks in a manner that meets or exceeds compliance and regulatory requirements," the job ad noted.

A recent survey-based report by PwC on the state of U.S. information security practices ( download PDF) found that a "vast majority" of the companies that participated had cybersecurity programs that fell well short of recommended best practices. For instance, just 28% of the companies had a CISO.

The fact that many companies, including large ones like Target, get religious about security only after a breach is a surprising, but "sad reality," said Richard Stiennon, principal secyrity analyst at IT-Harvest.

Companies like Target should have hired a CISO years ago -- particularly after breaches at companies like TJX, which highlighted the threat retailers face, Stiennon said. "Nobody pays attention to security until after an intrusion. It is the same story playing out even after a decade" of high profile breaches.

Target's decision to choose a security executive from the manufacturing industry is also interesting because it would have made more sense for the company to try and hire someone with experience in retail, Stiennon added.

Join the CSO newsletter!

Error: Please check your email address.

Tags IT transformationTargetretailsecuritygeneral electricgeneral motorsindustry verticals

More about General ElectricHolden- General MotorsISS GroupPricewaterhouseCoopers

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place