Security Risk Management

Measuring Security Performance: Is Target More or Less Secure?

Melissa Stevens | May 13, 2014

As a result of their major data breach late last year, Target has undergone a major house-cleaning to signify to the market just how seriously they are taking cyber security.

In the past few weeks, not only did Target make the controversial decision to replace their CEO, but they also announced the appointment of a new CIO and are continuing their search for a new CISO and CCO. In addition to leadership changes, the company revealed details about updates to their security strategy, which include (via BankInfoSecurity):

  • Enhancing monitoring and logging, including implementation of additional rules, alerts, centralizing log feeds and enabling additional logging capabilities;
  • Installing application whitelisting point-of-sale systems;
  • Implementing enhanced segmentation, including the development of point-of-sale management tools, review and streamlining of network firewall rules and development of a comprehensive firewall governance process;
  • Reviewing and limiting vendor access, including decommissioning vendor access to the server impacted in the breach and disabling select vendor access points, including FTP and telnet protocols;
  • Enhancing security of accounts, including coordinating the reset of 445,000 Target team member and contractor passwords, broadening the use of two-factor authentication, disabling multiple vendor accounts, reducing privileges for certain accounts and developing additional training related to password rotation.
  • Adopting chip-and-PIN techology in their branded credit and debit cards
Measuring-Security-Performance

But do these changes actually make Target more secure? Policies, procedures and technology are great (and are absolutely necessary), however, without assessing implementation and performance factors on an ongoing basis, there's no knowing whether or not specific strategic changes have actually improved an organization's security effectiveness.

These are questions that boards are beginning to ask their leaders, so CEOs and CISOs need to adopt metrics that can help them communicate up to the board about security issues and demonstrate real performance value to the business. The ability to compare key performance metrics over time, as well as to other peers and competitors, is something that executives in other disciplines (such as finance and sales) have been able to provide to business leaders.  Now is the time for security to enter the playing field.

 

 

 

Suggested Posts

3 Ways to Ensure Best-in-Class Third Party Cyber Risk Management

An effective third party cyber risk management program both identifies potential threats and finds ways to mitigate them. Organizations should aspire to the highest possible standards when it comes to their security posture. To do so, they...

READ MORE »

Cyber Risk Should Be A Growing Concern to the Municipal Bond Market

Following an increase in ransomware cyber attacks, most notably May 2017’s WannaCry attack, U.S. public sector entities are starting to see the effects of these attacks on the almost $4 trillion municipal debt market. As a result, issuers...

READ MORE »

Takeaways from the 2017 Gartner Security & Risk Management Summit

This year marked another great Gartner Security & Risk Management Summit with over 3,000 attendees, bringing together CEOs, CIOs, CISOs, IT Directors, Risk Managers, and other risk and security professionals to National Harbor, MD from...

READ MORE »

Subscribe to get security news and updates in your inbox.