This article is a perfect example of upper management not taking IT security seriously. Even though this article is 2 years old it shows a blatant act on Home Depot’s part not to address known security issues. Home Depot cyber security team presented concerns to management back in 2008 and they were slow to respond, resulting in 56 million credit cards being compromised four years later. You would have thought after the Target data breech; Home Depot would have tightened up their act.
http://www.theverge.com/2014/9/20/6655973/the-home-depot-reportedly-ignored-warnings-from-its-own-cybersecurity-team
I’m almost certain Home Depot is not alone with this sort of negligent corporate culture. I often times wonder what is the real motif behind not listening to IT/Cyber Security professionals. Perhaps big corporations get away with these bad habits the majority of times, or stricter rules and regulations need to be enacted in this regard? It looks like millions in fines alone are insufficient to convince otherwise.
I agree, millions in fines for a large corporation like Home Depot is not enough. They can brush it off and continue on with their business, unlike the victims that were affected by the attacks. I think that the atmosphere is changing since 2008 & 2014, and that Board of Directors and Executives are taking an active role in their organization’s cyber security posture. Unfortunately not all organizations are aligned with this practice, since there seems to be a knowledge gap and vested interest from the BoD and executives. For organizations to be successful in this relationship, BoD must provide oversight and guidance, and IT executives must be able to articulate the role of IT in business terms.