2. Lobby for a CISO to Handle Significant Security, Liability Responsibilities
As the old saying goes, the buck must stop somewhere. As with most things technology, the head of the information services organization is likely to get the blame. But CIOs are burdened with more areas of responsibility than ever before, from keeping the computers running to creating new technology-driven lines of business that can actually represent a profit center to liaising with marketing and the executive suite to unlock secrets that lie within the massive amounts of data warehoused in the corporate IT warehouse.
Yes, security is an important part of all this, but creating a security regimen and implementing it through the organization is really best done by a dedicated CISO - someone whose sole job is to monitor the security posture of a business and then carefully and deliberately enhance it over time. A CIO is simply too rushed and spread too thin, to fully handle this responsibility.
Target shows why. It took several weeks to get to the bottom of the extent of the breach. (This is actually better than average; most serious data breaches take months to spot.) According to multiple reports, it took days to even discover the breach before the media caught on to it. As we all saw, it seemed Target discovered more and more about exactly what data was lost in the attack, judging from the trickled release of information to the public and to the media.
You can imagine the frenzy within Target of getting to the bottom of what happened, reacting to it, preventing the situation from deteriorating and activating response plans. The buck stopped with Jacobs, and her response was left somewhat wanting. It's a real possibility that she simply had too much on her plate.
Additionally, hiring a specific security head shows the rest of the organization that security is serious business. Having such a position generally gives the CISO the autonomy required to put into place the right remedial measures to enhance security. Having to work through a chain of command not dedicated to security can delay or even jeopardize necessary technical improvements due to a lack of clear communication or an inability to convince others that some measures are necessary.
3. Incident Response Plans Key to Successful Recovery from Data Breaches
In the hours and initial couple of days after a breach has been discovered, there is usually only one priority: Fix the breach, at all costs. Stop the bleeding.
This is a fine approach for the technical team. However, others in your organization need to at least be activated to begin planning a communications approach that keeps all stakeholders informed. Witness the somewhat haphazard way in which Target disclosed the breach. Were PINs compromised, or just payment card numbers? Were PINs leaked? Were encrypted PINs leaked? Was anything leaked? The story seemed to change as the situation developed. That's a symptom of an incomplete crisis communications plan.