If you wear the CIO hat of a very large retail company, what could be worse than to have your site broken into and tens of millions of customers’ information records stolen and … right at the peak of the holiday season? Well, I suppose it could be worse if your organization had recently spent millions to buy the latest in security equipment and software and set up a large, 24×7 monitoring center halfway around the world to monitor the critical alerts from security software … and then when someone 12 time zones away did notice that the organization’s networks had been breached and sent a notice to their overlords in the US, nothing much happened for nearly three weeks while the bad guys were stealing millions of customers’ credit card information and passwords.
Of course, that could be a really big problem. In fact, it might get a CIO, along with a number of underlings, fired after having to testify on nationwide TV before Congress, and after launching a huge internal review to see what really happened and placing blame somewhere other than at the top. And all this might cause any company to lose hundreds of millions in sales and frighten away millions of loyal customers … and three months later it might be on the front cover of one of the US’s leading business journals (see “Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It“).
So how could such a huge organization, with so much on the line, blow its cyber security so badly and publicly when they knew what was on the line? Well, hindsight, as they say, is always 20-20. Somehow the critical messages flagging the problems that occurred two days after Thanksgiving got lost and/or ignored. This is not an uncommon problem in the cyber security business; there are simply too many ways to get in, too many attack vectors, too many alerts, and too many exceptions. Indeed, this is one case where Big Data (reams of security alerts, in this case) didn’t improve decision making; rather, it obscured the problem. The result was that the seriousness of the situation didn’t surface to top IT management until the FBI notified the firm of the breach on 18 December. Up to this point, top management had drawn confidence from the fact that its cyber security program was the best money could buy because it had been certified according to the industry cyber security standard as late as September 2013.
Specialized communications gear, firewall after firewall, security alerts galore, trained 24-hour human monitors, and industry certification … what more could you do?