Target has promoted Rich Agostino to CISO, following the departure of Brad Maiorino, who moves to Booz Allen Hamilton's U.S. commercial business. Maiorino, whom Target hired from General Motors to mitigate a major cybersecurity breach in June 2014, hired Agostino from General Electric as his vice president of information security in September 2014.
"Rich came to Target in 2014 after spending more than 10 years in information security, technology risk and audit at GE," a Target spokeswoman tells CIO.com via email. "He’s been a member of Brad’s leadership team for more than two years and played a major role in the advancement of Target’s information security program."
The CISO change comes as cybersecurity continues to be a thorn in the side of many IT departments. The Target 2014 breach created a snowball effect as several large corporations, including Home Depot, Sony and Anthem, were penetrated by various attackers using malware and other tactics.
Insider attacks are also proliferating. Booz Allen was a victim of perhaps the most notorious insider hack in U.S. history in 2013 when former employee Edward Snowden stole and released a trove of classified documents about the government's secret surveillance programs. Earlier this week, WikiLeaks published 8,700 documents it says come from the CIA's Center for Cyber Intelligence, Information about purported CIA cyberattacks.
Such attacks have stoked security experts’ worst fears: It takes only one vulnerability exploited by an enterprising hacker or corporate insider.
That reality has generated a glut of new business for consultants such as KPMG, Deloitte and, of course, Booz Allen. Maiorino, who starts his new role on March 13, will work to scale Booz Allen's U.S. commercial business. Led by executive vice president Bill Phelps, the unit provides to Fortune 50 companies consulting and technology solutions that blends cyber threat intelligence and data analytics with security operations. Its clients include large commercial and investment banks, utilities, oil and gas companies, major retailers, auto manufacturers and large pharmaceutical manufacturers.
Maiorino's experience transforming cybersecurity in CISO roles at Target, General Motors and General Electric over the past 20 years qualify him for the role, according to Booz Allen President and CEO Horacio Rozanski. “We are thrilled that Brad will bring his extensive experience and leadership to our team,” Rozanski says.
You've been 'Targeted'
Maiorino's role as Target's first CISO stands out because it required him to get the retailer's defenses in order in the face of mounting criticism from federal regulators and consumers after it discovered that the data of 40 million credit and debit cards and personal data on about 70 million customers had been taken in late 2013. The perpetrators slipped malware into Target's network via an HVAC company in a sophisticated breach that cost Target millions of dollars and the CEO and CIO lost their jobs.
In response, Target added enhanced monitoring, data segmentation, logging, as well as security of accounts and installation of application whitelisting on point-of-sale systems. Maiorino provided insight into his challenges and opportunities in a July 2014 interview with the New York Times in which he said Target was not as poorly secured as people believed.
Maiorino also said any company would have fallen prey to what was a "highly sophisticated set of actors." His solution? Reducing Target's attack surface, which means eliminating connections in the business.
While working at GM from 2012 to 2014 Maiorino transformed the company’s information security and IT risk organization, including building out a global team and establishing GM’s Vehicle Cyber Security Steering Committee. Prior to General Motors, he oversaw GE’s global information security program and oversaw the design and construction of the GE Cyber Security Fusion Center, the company’s SOC. He has also served as a member of the board of directors for the Retail Cyber Intelligence Sharing Center (R-CISC), in which retailers work share information about threats.