Monday, March 31, 2014

Security Governance Ripples from Target Breach

You know the saying, if you want a different result, best not to keep doing the same thing. In this case, the result was the massive data loss breach involving loss of the records of 40 million customers at mega retailer Target.

In its wake, CEO Gregg Steinhafel stated that he is "elevating the role" of its chief information security officer and hiring outside the company to fill the position.  According to this NY Times article from early March, bringing on a new CISO will help Target centralize the company's security responsibilities.

And while the timing is coincidental, I owe Schweitzer Engineering Laboratories' Sharla Artz thanks for pointing out that Wisconsin based electric utility Alliant Energy Corp just made a similar move. For me, there are several promising parts to Alliant's announcement at the recent EnergyBiz conference that it had just:
Created an executive-level opening ... for overseeing cyber and physical security. The position was designed to bring cyber issues out of the weeds of the IT shop, where CEOs generally don't tread.
What I like best about this is:
  • The company didn't have to endure a huge security incident to justify this change to the org chart
  • The position is clearly not going to be buried in an IT silo, so it should have authority to set security policy across IT and OT
  • Reflecting a convergence that's happening in many energy enterprises, this new security exec will oversee both cyber and physical security
Hopefully we'll see more utilities make similar moves ... and soon.

Image credit: Michael Durham at

No comments: