Measuring Security Performance: Is Target More or Less Secure?

Melissa Stevens | May 13, 2014 | tag: Security Risk Management

As a result of their major data breach late last year, Target has undergone a major house-cleaning to signify to the market just how seriously they are taking cyber security.

In the past few weeks, not only did Target make the controversial decision to replace their CEO, but they also announced the appointment of a new CIO and are continuing their search for a new CISO and CCO. In addition to leadership changes, the company revealed details about updates to their security strategy, which include (via BankInfoSecurity):

  • Enhancing monitoring and logging, including implementation of additional rules, alerts, centralizing log feeds and enabling additional logging capabilities;
  • Installing application whitelisting point-of-sale systems;
  • Implementing enhanced segmentation, including the development of point-of-sale management tools, review and streamlining of network firewall rules and development of a comprehensive firewall governance process;
  • Reviewing and limiting vendor access, including decommissioning vendor access to the server impacted in the breach and disabling select vendor access points, including FTP and telnet protocols;
  • Enhancing security of accounts, including coordinating the reset of 445,000 Target team member and contractor passwords, broadening the use of two-factor authentication, disabling multiple vendor accounts, reducing privileges for certain accounts and developing additional training related to password rotation.
  • Adopting chip-and-PIN techology in their branded credit and debit cards

But do these changes actually make Target more secure? Policies, procedures and technology are great (and are absolutely necessary), however, without assessing implementation and performance factors on an ongoing basis, there's no knowing whether or not specific strategic changes have actually improved an organization's security effectiveness.

These are questions that boards are beginning to ask their leaders, so CEOs and CISOs need to adopt metrics that can help them communicate up to the board about security issues and demonstrate real performance value to the business. The ability to compare key performance metrics over time, as well as to other peers and competitors, is something that executives in other disciplines (such as finance and sales) have been able to provide to business leaders.  Now is the time for security to enter the playing field.




Suggested Posts

The BitSight and Moody's Partnership: A New Era For Cybersecurity

Cybersecurity is one of the biggest threats to global commerce in the 21st century.

By providing data-driven insights into cybersecurity, we can empower the marketplace to make better, risk-informed decisions and create a more secure...


4 Critical Success Factors for Effective Security Risk Management

With the average cost of a data breach in the U.S. reaching nearly $8.6 million, your organization can’t afford to ignore cybersecurity risk. Indeed, the need for security risk management is greater than ever. When cyber risk is managed...


IoT Cybersecurity: How Your Organization Can Tame the Wild West

From sensors on the factory floor to those that guide autonomous vehicles, the Internet of Things (IoT) is transforming how we live and work. Over the coming years, IoT will continue to change our world, with the number of connected...


Get the Weekly Cybersecurity Newsletter.