Saturday, December 15, 2007

The Employment Vulnerability, part 2

We all know TJX was irresponsible with customer data, but what can we determine through the Employment Vulnerability?  I got a call from a headhunter in mid-2006, the call was the beginning of an interesting story.

In mid-2006 a recruiter called and asked if I would be interested in a position as a Security Analyst; intrigued, I asked for details. After an exchange of emails, the recruiter told me that the position was with TJX, they were forming an information security team. That's right, over a year and a half ago TJX was starting to think about forming a team dedicated to information security. Then, as is often the case with recruiters, nothing- no more emails or phone calls. I shrugged and went on with life. 

I was a bit surprised when the same recruiter called me early this year and asked if I was still be interested in the position we had discussed last year. The recruiter said TJX had dropped the search last summer, but were suddenly renewing the Security Operations Center project in earnest and wanted to place people quickly. More out of curiosity than a desire to join TJX, I agreed to a phone interview a few days later.  Just minutes before the scheduled interview, I received a call from the recruiter who apologetically asked if we could reschedule the phone interview for later in the week because something was going on at TJX and they couldn't do the interview that afternoon.  Moments later, my newsgroups and email newsletters were telling the tale of the TJX data breach.

We did reschedule the phone interview, it went well- but nothing came of it.  The manager who conducted the interview was understandably reluctant to provide details about the internal situation, but it sure sounded like he had spent the week screaming "I told you so".  Maybe that was just my imagination, but I did sense more than a little frustration with senior management in his comments during the interview.  TJX outsourced all of their incident response and did not assemble an in-house security team.  Still curious about TJX's handling of the fiasco, I went to the TJX careers site and found several positions listed.  Their "job codes" consist of the two-digit year and a sequential listing number, and there were a handful of 06-low number listings for IT and Information Security positions- confirmation that the positions had been unfilled for almost a year. 

This fall TJX finally resumed the quest, they are seeking an IT Security Architecture Manager.  Bill Brenner wrote about this in the Security Bytes blog back in October and the position is still open.  Part of the job description includes:

"Responsible for developing and documenting a comprehensive information security architecture"

Developing a security architecture?  What a great idea!  It seems a bit late to roll out that idea, but maybe they don't want to rush into things.  I can't imagine why this position remains unfilled.  I wonder if TJX is still dragging their feet, or if they can't get any qualified takers.  Either one seems likely.

Back to the "employment vulnerability", I learned that TJX knew they needed to do something about security, but weren't concerned enough to do anything until it was too late- and even then they didn't build a team.  I also learned that upper management wasn't listening to their own employees about the problem.  We also know that they are advertising for a key position, but haven't found anyone in months.  And that some of the tasks which will fall on the shoulders of the new manager should have been done years ago.  While this doesn't compare to the data breach that got (and keeps) TJX in the news, it is another form of data leakage which doesn't look good for the company.