What Every CISO Should Learn From the Target Attack
What Every CISO Should Learn From the Target Attack
By Mike McConnell
Vice Chairman, Booz Allen Hamilton
(This article originally appeared in the February 4, 2014 issue of CIO Journal)
The nightmare cyber breach that Target Corp. faced at the height of holiday shopping season will impact that
company’s bottom line, its customer relationships and its customers’ financial security for months -- if not years -to come. Every business or government management team shudders at the thought, “This could happen to me.”
Damage to an organization and its customers happens at light speed, which means senior leaders have to react at
light speed to limit the mayhem and protect the organization. Decisions with potentially huge cost and brand
implications must be made immediately. Leaders must determine how much liability looms, and how much
investment in remediation is needed to account for that. They must also decide what to say to customers
immediately about their individual vulnerability and actions they must take. And they must determine the right
steps to take to ensure damage to the organization is fully contained.
And yet even the best remediation effort falls short if the organization operates from an outdated security model.
As cyber threats have evolved rapidly in recent years, much of the focus within industry and government has
remained on perimeter defense and improving remediation from attacks after the fact. Today, the speed and
scope of current attacks have outpaced those efforts, because the perimeter can no longer be fully protected.
Today’s threat environment demands that companies or agencies have a predictive edge to sense and preempt
coming attacks, and if they do occur, to possess the tradecraft to immediately turn information and intelligence at
the IT level into actionable, real-time insight for business leaders to respond.
And while some companies are starting to focus on improved C-suite decision-making, the secondary issue is how
to manage that transformation effectively. Corporations can be excellent at forecasting revenue and developing
long-term plans without realizing that cyber crisis planning in today’s threat environment requires a completely
This is the greatest call to action for chief information security officers in 2014: to accept and understand that a
remediation-centric cyber defense is not enough, and to build a communications link to the C-Suite that breaks
down the Tower of Babel between the server room and the board room. Organizations need to change their entire
security model from one of compliance – meeting basic standards for data protection – to a holistic multi-faceted
program of engagement.
The CISO can meet the current and future cyber challenge by first considering how much of a direct role and
responsibility the C-Suite should take to manage the many components that a holistic cyber defense and
remediation program will require. Each component – intelligence-based monitoring, crisis management,
remediation, legal, insurance, crisis communications, organizational planning, staff training, etc. – has unique
characteristics and must be closely synchronized with one another. And each component has its own level of risk.
Is it too great a risk for leaders to manage each individually, or is the better option the use of a provider with broad
expertise who can aggregate all for managed, simpler risk-based decision making for the C-suite? CISOs will be
charged to make a recommendation on the level of direct management and responsibility, and sharing risk with
others is almost always better.
Given the inherent weaknesses in perimeter defense today, the most important single element of a holistic cyber
approach is a predictive, intelligence-based defense, and more specifically a “military-grade” level of protection.
Government security agencies have long developed sophisticated components for a cybersecurity Web that now
protects the nation, including micro-analytics that can sense bit-level signs of a coming attack, analysis of macro
trends that include nation-state moves, the ability to integrate capabilities into a single-security architecture so
gaps can be identified, and the skills to follow indications and warnings in the public sphere. CISOs must look for
these same proven elements as they examine any commercial intelligence-based solution, because the approach is
well proven in the classified realm.
Another key factor in success involves people. IT security experts are a given requirement. But an effective
intelligence-based defense team must be much broader and integrated, to include data scientists whose job it is to
know what questions to ask of the data, linguists who understand the finest points of world culture and
communication, and others. Turning information into intelligence and insight with analytics tools is a skill not
found in textbooks – it’s a tradecraft that requires the right mix of training and experience among the experts who
perform it regularly, and the ability to explain it to leaders.
An enterprise is only as strong as its weakest link, and any cyber defense today that is not fully integrated, broad
enough in scope to cover all components of risk, and with a military grade level of capability and the right talent is
not going to serve a company or agency’s senior leaders well.
CISOs within the commercial financial services industry -- which was one of the early targets as attacks evolved
from Direct Denial of Services to theft and damage -- have set a strong example for leveraging predictive
intelligence and translating risks to the C-suite. Bank CISOs, CEOs and board members work together to identify
cyber risks and better manage them within overall organizational risk priorities. For example, when a major bank
references liability risk in its annual report, that now often includes the risk for the loss of private customer
information in a cyber attack. And more broadly, the financial services industry has created the Financial Services
Information Sharing and Analysis Center, a forum for collaboration on critical security threats facing financial
institutions. Valuable shared information from this group enhances the intelligence-based defense and helps
individual institutions better manage cyber threats at the enterprise level.
The oil and gas industry, which has extensive physical assets that are vulnerable to cyber attack, also is moving in
this direction to manage its own unique risks.
Today, it is not enough to know what to do in cyber security, but given how quickly events occur, it is just as
important to work out ahead of time how to do it. Those industries have CISOs who have learned from experience
and taken strong action, starting a conversation with the C-Suite and building an advanced team. Other CISOs
should learn from them – if not just from watching the headlines – and begin the process of reimagining their
cyber defenses immediately, or face the inevitable consequences.
Mike McConnell is the Vice Chairman of Booz Allen Hamilton and served as the Director of National Intelligence for
two years under Presidents George W. Bush and Barack Obama. He will be attending the 2014 RSA Conference to
speak with CISOs about the challenges they face with moving from a perimeter defense to a holistic cyber program
and engaging with the C-suite.