Strategic CIO // Team Building & Staffing
News
6/11/2014
12:26 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Target Hires GM Exec As First CISO

Target names Brad Maiorino as its first chief information security officer to oversee the company's security and technology risk strategy.

 

10 Ways To Fight Digital Theft & Fraud
10 Ways To Fight Digital Theft & Fraud
(Click image for larger view and slideshow.)

Target has hired a General Motors executive to oversee the company's information security and technology risk strategy following the 2013 data breach that exposed personal details of 70 million Target customers.

General Motors chief information security and information technology risk officer Brad Maiorino will join Target as the company's first CISO and senior vice president on June 16, the company said. Maiorino has also held the CISO position at General Electric.

Maiorino will report to Target CIO Bob DeRodes, who joined the company on May 5. The reporting structure is a vote of confidence for DeRodes, said Jonathan Feldman, CIO of Asheville, N.C., and an InformationWeek columnist "This is not an external watchdog on the IT group. He's reporting to the CIO," he said. "The big meta-question here is how both the CIO and CISO will balance over-reaction versus under-reaction."

[Target's new CIO faces tough challenges. Read 5-Step Plan For New Target CIO.]

Former Target CEO Gregg Steinhafel announced in March a set of plans to overhaul the company's information security and compliance practices following the December breach. Among them was filling the CIO position formerly held by Beth Jacob, who resigned in March; hiring a chief compliance officer; and creating the new CISO position. Target has not yet hired a chief compliance officer.

Target CISO Brad Maiorino
Target CISO Brad Maiorino

"Having led this critical function at two of the country's largest companies, [Maiorino] is widely recognized as one of the nation's top leaders in the complex, evolving areas of information security and risk," DeRodes said in a statement. "As an organization, we have made a commitment to our guests and our team that Target will be a retail leader in information security and protection. We believe [Maiorino] is the right person to lead that change."

In addition to the new hires, Target detailed other steps that it took following the 2013 breach. The company has since enhanced monitoring, segmentation, logging, and security of accounts, plus installation of application whitelisting on point-of-sale systems, it said in the announcement.

Target has also increased hiring of information security employees, requires annual data security training for all employees, and runs a 24-hour security operations center to monitor for suspicious activity, the company said in a letter to the SEC last week.

"I am looking forward to joining the Target team and helping them continue the progress they have made to be a retail leader in information security and protection,” Maiorino in a statement. “I am confident that the combination of a strong team and the leadership commitment will enable us to achieve that objective.”

The appointment of Maiorino as CISO comes a day before Target's annual shareholder meeting, at which proxy advisory firm Institutional Shareholder Services recommended that shareholders vote out seven of the company's 10 directors, saying the board failed to manage risks that led to the data breach.

IBM, Microsoft, Oracle, and SAP are fighting to become your in-memory technology provider. Do you really need the speed? Get the digital In-Memory Databases issue of InformationWeek today.

Kristin Burnham currently serves as InformationWeek.com's Senior Editor, covering social media, social business, IT leadership and IT careers. Prior to joining InformationWeek in July 2013, she served in a number of roles at CIO magazine and CIO.com, most recently as senior ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Robert McDougal
IW Pick
100%
0%
Robert McDougal,
User Rank: Strategist
6/12/2014 | 11:57:09 AM
Re: Surprised Target didn't pick a security chief from retail
In my experience, having the CISO report to the CIO is a bad idea.  Setting up your organization in this way allows IT operations to override IT Security.  The CISO and CIO should be peers.
jastroff
50%
50%
jastroff,
User Rank: Ninja
6/11/2014 | 7:45:42 PM
Re: Surprised Target didn't pick a security chief from retail
>> Actually, I think the story was that the previous CIO who resigned was trying to run information security in her spare time, and that didn't work out so well.

If that's true, then that's pretty awful. I won't say that means they deserved the revenue loss, but it's like leaving the front door open and expecting everything to be there in the morning.

 
Shane M. O'Neill
50%
50%
Shane M. O'Neill,
User Rank: Author
6/11/2014 | 5:10:27 PM
Re: Surprised Target didn't pick a security chief from retail
The CEO probably wants the CISO to report to the CIO so the CEO can still point fingers if there's another data breach. Or perhaps that's just me being cynical.
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
6/11/2014 | 4:41:40 PM
Re: Surprised Target didn't pick a security chief from retail
Actually, I think the story was that the previous CIO who resigned was trying to run information security in her spare time, and that didn't work out so well. It's important to elevate the role of cybersecurity and make it someone's primary responsibility.

One IT security pro recently told me he judges the seriousness of an organization's commitment to cybersecurity by who the top security exec reports to. If the CISO reports to the CIO, he said, that's a bad sign that security will be subordinate to other IT priorities. They should both be at the same C-level of responsibility, according to that theory.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Author
6/11/2014 | 4:13:38 PM
Re: Surprised Target didn't pick a security chief from retail
I wonder why the CIO isn't also expected to be the CISO. Seems to me there's no more important information-related task than assuring data security.
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
6/11/2014 | 2:54:22 PM
Surprised Target didn't pick a security chief from retail
Wouldn't you think there was enough that's unique about the retail business to convince them to pick someone from that industry?
2014 US Salary Survey: 10 Stats
2014 US Salary Survey: 10 Stats
InformationWeek surveyed 11,662 IT pros across 30 industries about their pay, benefits, job satisfaction, outsourcing, and more. Some of the results will surprise you.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 18, 2014
Enterprise social network success starts and ends with integration. Here's how to finally make collaboration click.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.