Target Begins Security And Compliance Makeover

Security gets a higher exec profile at the beleaguered retailer in the wake of its massive data breach as Target starts the road to reorganizing its security and compliance operations

The
departure of Targets CIO yesterday
, along with the creation of a dedicated chief information security officer position (CISO) and a new compliance officer (CCO), began a new chapter in the retailers post-breach security posture.
Security experts say that aside from the executive changes and reorganization, the megaretailer will have other holes to plug to prevent another massive breach like the one that resulted in the theft of 40 million customer credit and debit card numbers, plus the names and contact information of up to 70 million people.
CISO duties at Target previously had been split among multiple people. The new CISO at Target will have centralized oversight and responsibilities for the retailers information security; Beth Jacob, Targets executive vice president of Target Technology Services and chief information officer, has now left the post she had held since 2008.
Raj Ramanand, founder and CEO of Signifyd, said its surprising that the CIO was managing security duties at Target. In most large enterprises, the CISO has a direct reporting line to the board of directors and to the CIO of the company, he says. Im surprised by the fact that this was all being managed by the CIO, and they didnt have separate officers in charge.
Target chairman, president, and CEO Gregg Steinhafel explained in a statement that the executive moves are a first step in overhauling the retailers security and compliance operations. While we are still in the process of an ongoing investigation, we recognize that the information security environment is evolving rapidly. To ensure that Target is well positioned following the data breach we suffered last year, we are undertaking an overhaul of our information security and compliance structure and practices at Target. As a first step in this effort, Target will be conducting an external search for an interim CIO who can help guide Target through this transformation, he said.
Steinhafel said Targets current vice president of assurance risk and compliance had already planned to retire at the end of the month, so the retailer also will be hiring a chief compliance officer to fill that role. Both the CISO and CCO positions will be filled with candidates outside of Target, he said.
[Attackers are believed to have stolen network credentials belonging to Fazio Mechanical Services, a provider of refrigeration and HVAC systems, and used them to ultimately compromise Targets point-of-sale systems with malware. See
Target Compromised Via Its HVAC Contractors Network Credentials
.]
The good news is that Target took the time to handle the reorganization, says Signifyds Ramanand. They took the time to understand what was causing [their gaps] before they went out and cut people ... They are doing the right thing, he says.
Despite having what several insiders have characterized as a relatively strong in-house security team, Target had its gaps the way many other organizations and retailers do. Ramanand expects Target to tighten its physical security, as well, because gaps there with its HVAC contractor were a weak link in the chain. Those go hand in hand, he says of physical and logical security.
They were focused on the core of the company, as opposed to looking at the weakest link. Security is not just about the most important systems, but also the weakest link, Ramanand says. I think there were lax security measures around noncore systems.
There also appear to have been visibility problems that prevented Target from spotting the attackers moving the stolen data out of its network, other experts say.
In my opinion, how was someone able to send gigabytes of data out without [Target] knowing? How can you send out so much data without someone noticing? says Aviv Raff, CTO at Seculert. The signs were in the logs if someone had been monitoring them, he says.
The question is whether there were just too many security silos in Target not sharing or cooperating with one another, experts say.
While Targets point-of-sale servers may have been in tight lockdown, the attackers were able to find other more gaping holes in its environment. The attackers had to move laterally once they got in, so the key for Target would have been to make it harder for them to exit with the stolen payment card information, says Mike Lloyd, CTO at Red Seal Networks. You can control the path back out, he says. You need to make the outbound mazes harder.
Former Target CIO Jacob, who holds an MBA, began her career with Target in 1984 as an assistant buyer in Target’s department store division, Dayton’s, for two years. She was hired by Target in 2002 as director of guest contact centers, and named vice president, guest operations in 2006.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Target Begins Security And Compliance Makeover