The hacking of US retailer Target’s point-of-sale cash register network last year resulted in the theft of 40 million credit card numbers and 70 million addresses, phone numbers and other personal information. It was the largest ever loss of credit-card data in US history – so far.
“We have three new threats now, on average, every second,” says Michael Sentonas, who is Vice President and Worldwide Chief Technology Officer for McAffee’s Security Connected business. The CFO, he adds, has a key role to play in protecting the company from those threats.
“They’re the people who understand the cost of the risks and they understand the concept of how much needs to be invested to protect assets,” he argues. “That’s why they’re really well-placed to work on security and why they should work hand-in-hand with the CIO.”
Sentonas (pictured) spoke to CFO Innovation’s Cesar Bacani about the rising security threats to the enterprise, the rise of the ‘security-obligated executive’ – the CEO, CFO and other top executives – who is held accountable for security breaches, not just the CIO, and other issues. Edited excerpts:
What are you seeing among your clients, particularly in Asia, in terms of their attitude towards IT and online security?
What has changed over the last couple of years is that businesses across Asia and across the world, really, are starting to understand the seriousness of the risk landscape. What I’m finding now is that people are understanding that this is a business problem.
It’s not a technology problem, it’s a business problem. It’s something that they need to tackle from the head of the organization down.
There are different concerns. In Asia, especially, there’s a lot of regulatory compliance requirements. So from the security perspective, people need to make sure that they’re compliant in a lot of different standards and frameworks.
But in a changing threats landscape, people also worry about their organization being compromised, losing track of the data, losing intellectual property, having an outage and so on.
Does ownership of security solutions still lie with the Chief Information Officer?
It is still the CIO who is responsible for security. But the CFO also plays a really significant role in making sure that the organization is protected.
What we’re seeing in the last couple of years is the emergence of what we’re calling the “security-obligated executive.” What that means is that everyone from the CEO down is responsible for security.
Meaning that if anything goes wrong, the security-obligated executives are accountable?
It’s the people that are accountable; it’s the people that need to be aware of what’s going on. If you think of some of the most major customer-records breaches that happened in the last couple of months, it’s not only a CIO issue; it’s the CEO down that’s responsible to make sure that people are safe and secure.
So is McAfee involved at all in Target’s anti-hacking security arrangements?
We don’t typically talk about customers unless our customers openly talk about it themselves. We don’t share any customer data with anyone regardless of who they are . . . That being said, many of our customers do openly talk about what they are doing with us as well.
It’s really up to them to disclose their success in what they’re doing with us. [Editor’s Note: Media reports say Target’s antivirus system was provided by Symantec.]
- Next page