CFO’s Don’t Want to Get it When it Comes to Risk and Security…Until it’s Too Late.

Thursday, February 06, 2014

Stephen Marchewitz


Target’s CFO should be embarrassed. Target is investing $100 million to upgrade to a more advanced credit card system following the massive hack of customer data, its chief financial officer told U.S. Senators Tuesday. Testifying before the Senate Judiciary Committee, Target CFO John Mulligan gave a more detailed account of the holiday season hack that has exposed personal or financial data of nearly a third of U.S. adults.

$100 million to upgrade credit card systems?

We already noted that Chip and Pin isn’t the answer.  Fraud losses on UK cards with this technology totaled £610m (a little more than $1 billion U.S. dollars) in 2008, a peak year for fraud. Obviously, this is a knee-jerk reaction to what they’ve gone through.  Will it help?  Of course.  Did he need to spend that?  Not even close.  But hey, it’s only the shareholders money, not his.  At least he can now say he’s doing something. 

Is he going to lose his job for costing the company over a couple billion dollars in losses?

According to Ponemon estimates (PDF), the breach will cost Target over $2 Billion dollars. That’s Billion with a capital B!  CFO to get fired?  Naw, his bonus will probably go up.  And what a tough position.  He probably couldn’t spell security before the incident, but had to testify before congress about what they’re going to do…talk about your crash courses.  He makes a bold statement when he says, “We will learn from this incident.”  Ya think? 

Companies on average, still not doing the right things—unless they’re forced to

California Senator Dianne Feinstein stated that public notification of major data breaches is currently "vague (and) nonspecific," and firms can often get away without making disclosures.  We see this all of the time.  These executives at Target got caught with their pants down, and with the size of the breach so large, they had no way of pulling them up.  They had to stand there and take it in the shorts.  Others typically don’t have such a large breach of information, and thus don’t disclose that their customers’ (or as Target calls them “guests”) information was stolen.  Dishonest?  Yes.  Lucky, absolutely.   If the buck stops with the CFO, they're in a sorry state accountability. 

Possibly Related Articles:
Enterprise Security
Budgets Security Target CFO
Post Rating I Like this!
Andrew Bycroft Whilst I think ignorance is all too commonly used as a "get out of jail card" I don't necessarily agree with your headline, Stephen, that "CFOs don't want to get it". I think it is harsh to point the finger at CFOs and call them ignorant and negligent. Whilst CFOs are tasked with balancing saving money with spending it, and often err more towards the side of saving money when it comes to risk and security, if it can be shown that the cost of a risk is many magnitudes greater than the cost of security to treat the risk, CFOs will take notice.

In my experiences, when CFOs do not pay attention it is typically because the information has not been presented to them in language they can understand. When dealing with any C-level executives there are two important pieces of information required in all communications:

(1) risk - this is something we all understand; subconsciously we manage risks every day - such as whether to speed, whether to cross a road, whether to take an umbrella, whether to drink another beer before driving, and so on. Qualify and quantify a risk and it can be comprehended.
(2) money - this is one of the staples of life - up there with air, water and food. Sure, some of us don't have as much of it as we may like and others suffer from having more of it than what they can sensibly spend, we all understand that money has a value and losing a vast amount of it through negligence is difficult to swallow.

Put these two pieces of information in a single sentence such as "there is a 43% chance that credit card data will be exfiltrated from our e-commerce servers within the next year causing a financial loss of $250M", for example, and back it up with real numbers from previous incident analysis, then present it to a CFO and he or she will be empowered to act.

Then ignorance has been removed from the equation and failure to act can only come down to negligence.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.