Measuring Security Performance: Is Target More or Less Secure?

Measuring Security Performance: Is Target More or Less Secure?
Written by Melissa Stevens
Director of Digital Marketing & Demand

As a result of their major data breach late last year, Target has undergone a major house-cleaning to signify to the market just how seriously they are taking cyber security.

In the past few weeks, not only did Target make the controversial decision to replace their CEO, but they also announced the appointment of a new CIO and are continuing their search for a new CISO and CCO. In addition to leadership changes, the company revealed details about updates to their security strategy, which include (via BankInfoSecurity):

  • Enhancing monitoring and logging, including implementation of additional rules, alerts, centralizing log feeds and enabling additional logging capabilities;
  • Installing application whitelisting point-of-sale systems;
  • Implementing enhanced segmentation, including the development of point-of-sale management tools, review and streamlining of network firewall rules and development of a comprehensive firewall governance process;
  • Reviewing and limiting vendor access, including decommissioning vendor access to the server impacted in the breach and disabling select vendor access points, including FTP and telnet protocols;
  • Enhancing security of accounts, including coordinating the reset of 445,000 Target team member and contractor passwords, broadening the use of two-factor authentication, disabling multiple vendor accounts, reducing privileges for certain accounts and developing additional training related to password rotation.
  • Adopting chip-and-PIN techology in their branded credit and debit cards

Measuring-Security-Performance

But do these changes actually make Target more secure? Policies, procedures and technology are great (and are absolutely necessary), however, without assessing implementation and performance factors on an ongoing basis, there's no knowing whether or not specific strategic changes have actually improved an organization's security effectiveness.

Bitsight Executive Report Example

New! The Security Ratings report is now the Executive Report. Request your report to see enhanced analysis such as your rating, likelihood of ransomware incidents, and likelihood of data breach incidents.

These are questions that boards are beginning to ask their leaders, so CEOs and CISOs need to adopt metrics that can help them communicate up to the board about security issues and demonstrate real performance value to the business. The ability to compare key performance metrics over time, as well as to other peers and competitors, is something that executives in other disciplines (such as finance and sales) have been able to provide to business leaders. Now is the time for security to enter the playing field.