The announcement that Neiman Marcus has hired its first chief information security officer, or CISO, suggests a growing trend in this area. More organizations are using the position in the wake of massive data breaches.
The Wall Street Journal says Sarah Hendrickson joins the Texas-based retailer from Children’s Medical Center of Dallas, where she also served as CISO. She has held IT security positions at Dell Inc. and J.C. Penney Co., according to her LinkedIn profile.
According to the Dallas Business Journal, “Neiman Marcus posted the new position on its careers website May 21. The CISO’s responsibilities include developing a security and risk management program, manage the company’s security organization, creating security and risk management training programs, facilitating IT risk analysis and developing disaster recovery policies and standards.” It created the position after a breach that could have affected a million shoppers.
Target also recently hired a chief risk and compliance officer, according to the Associated Press. It reported the move was made “as the retailer continues to overhaul its security department in the wake of last year’s massive data breach.”
In June, Target named Brad Maiorino as chief information security officer. He also had been with General Motors. He reports directly to Bob DeRodes, who was named Target’s new executive vice president and chief information officer in April. According to AP, Target has been overhauling its security department as it tries to put last year’s pre-Christmas data breach behind it.
But not just retailers are focusing on the increasing data breaches. Health care CISOs are also increasing their focus on the issue. As the Wall Street Journal reported, “The health-care industry is grappling with how to protect personal health information from increasing cyber threats. In addition to meeting security and privacy regulations, companies can do more to prevent breaches by assessing and prioritizing cybersecurity risks, said Jim Routh, chief information security officer at health insurer Aetna Inc.
The article continued, “The message has already caught on at some health-care companies, who are starting to look for technology executives with risk experience. A September global state of information security report from PricewaterhouseCoopers LLP found that detected incidents reported by health-care providers and payers in a two month period in 2014 were 60% higher than for a similar period in 2013. Financial losses increased 282% over 2013.”
Aetna, for example, the article continues, “has met HIPAA requirements for the protection of health data, but it has also gone one step beyond and created an even higher level of control for certain types of data including credit card information, social security numbers and security credentials such as user names and passwords. The higher level of controls use techniques such as multi-vector authentication and encryption of data at rest and in motion, said Jim Routh, Aetna CISO.”
Cybercriminals have begun to use electronic healthcare information to perpetrate identity theft and account fraud in the last couple years, said John Pescatore, director of emerging security trends at SANS Institute, a cybersecurity research and education organization, told the Wall Street Journal. “There’s been near zero reaction from the health-care industry.”
What’s less clear in the growth of CSIOs is where they stand on organizational charts. Some are reporting to CIOs, as might be expected, while other companies have them reporting to chief data officers. It will be interesting to see in the coming months how that shakes out. It should be the rare situation where the CSIO reports directly to a CEO.