First-ever Neiman Marcus CISO departs
Sarah Hendrickson, who was hired as the first chief information security officer at Neiman Marcus in late 2014, has departed for a job in the IT sector, reports D Magazine, which confirmed the news with a Neiman Marcus spokesperson.
Hendrickson, who also was one of the first CISO hirings widely reported in the retail sector, joined Neiman Marcus several months after the retailer suffered a high-profile data breach that affected an estimated 350,000 customers and led Neiman Marcus to being forced to pay $1.6 million in settlement fees.
Hendrickson reported to Sarah Miller, chief information officer and senior vice president at Neiman Marcus. The retailer’s future plans for the CISO position were not immediately clear.
Neiman Marcus landed its first-ever CISO about 10 months after its major data breach incident, which had the slight good fortune of occurring shortly after Target disclosed its own massive data breach, so the Neiman Marcus incident didn't garner nearly as much attention.
Still, Neiman Marcus got some positive attention for deciding that a CISO was needed to oversee information security policies and protection measures, and then hiring Hendrickson within the same calendar year. Her hiring came at a time when retail was reeling from a handful of major security breaches and the threat of more to come, and it seemed like naming a CISO to soothe those fears and make security a strategic priority for retailers just might become the trendy thing to do.
Almost three years later, many more security breaches have hit retail, such as last year's hacking episodes at Vera Bradley. However, very few retailers have gone down the path of naming a CISO, and more often make data security the responsibility of other IT executives and teams. Staples became one of the exceptions a couple of months ago when it appointed Brett Wahlin as its own first-ever CISO.
The details of Hendrickson's departure from Neiman Marcus are not yet known, and it isn't clear if or when Neiman Marcus will hire a replacement. In the last few years, retailers have not gotten much better at handling security attacks than they were before. Too often, hacked retailers don't offer many details on what actually happened during attacks that often last for months. More information security leadership isn't an easy antidote to the attacks and threats, but at the very least it sends the message to customers that retailers are finally taking information security issues seriously.