The CSO needs to oversee and run the security program and advise the CEO and the board of directors, but the settlement did not mandate the individual report directly to the CEO and the board, which is a miss. In many enterprises, the CSO, despite being a C-level executive, doesn’t report directly to the CEO, and is shuffled under the CIO, the CTO or even legal. The CISO/CSO should report directly to the CEO and receive a separate budget from that of IT.
Industry standards are still a low bar
As part of settling with the states, Target has to pay $18.5 million. While New York Attorney General Eric T. Schneiderman touted this agreement as the largest multistate data breach settlement to date, it is pocket change for a company that reported over $20 billion in profits last year and has already paid $202 million in legal fees and other post-breach costs over the past four years. This isn’t even the first settlement, as Target settled for $39 million with the financial institutions affected by the breach and allocated $10 million for the consolidated class action lawsuit (along with the $6.75 million for plaintiffs’ attorneys fees and expenses).
There have been concerns that companies might deprioritize security activities and risks because it is cheaper to just pay the fine after something goes wrong—instead of putting in the time and effort to do it right. The settlement doesn’t do anything to change that viewpoint, but the fact that some of the basics are now codified as “industry standards” may at least raise the bar to the bare minimum. For many organizations, segmenting the networks and adding more security layers around sensitive data environments can make a huge difference in how easily criminals can move around or steal information.
Sign up for CIO Asia eNewsletters.