Apply today for a FREE subscription to CIO Magazine!
Thu, Oct 4, 2007 9:07 EDT

|
Posted by: Scott Berinato in News Topic: Enterprise ManagementBlog: Information Collective
Current Rating: |
What better way to say "Mea culpa" than with Job Code 07-2153. As noted in the Data Loss discussion list at attrition.org, The TJX Cos.--they of the biggest data breach publicized so far--is hiring an IT Security Architect Manager. No salary is listed but if you're interested, I would expect to be working late nights.
We tease. But looking at the job description, it certainly looks like TJX at least wants to give the appearance of trying to wrangle some sense out of the IT security that failed the company and led to tens of millions of lost customer transaction records, and an embarrassing string of announcements by the company which gave the appearance TJX really wasn't sure what was stolen when and how.
The job description sounds like the equal and opposite reaction to the breach. The first bulleted responsibility is breathtaking in its goals:
* Responsible for developing and documenting a comprehensive information security architecture and road-map for the company to ensure that technology design and controls are effectively aligned with corporate security policies and standards, as well as to increase the overall efficiency and effectiveness with which security controls for both new technologies and changes to existing technologies are designed and implemented within the organization.
That's a career in and of itself. And that's just the beginning. The job description goes on for nine more bullet points, alludes to an identity management project and asks for six or more years experience with all the proper certs (CISSP, CISM, CISA, &c.). In other words, TJX seems to be hiring a CISO, albeit one called an IT Security Architect Manager, likely in order to keep the pay grade lower.
The whole thing reads as if company muckitymucks said to a consultant, "Create a position that will help us get information security under control. Don't hold back. Put everything in we'd need." In fact, that's likely what happened, though we have no real evidence of it. As you may know, TJX hasn't exactly opened up to the press (and through the press, to its customers) about the breach. All of our calls certainly have been ignored.
This job posting was found on careers-TJX.com. We went to Monster.com to see if the job was posted there. Wouldn't that be delicious irony, a breached TJX using a jobs site that has seen its own security breach to advertise for an information security job?
Alas, TJX's information security architect manager position wasn't posted on Monster.
But dozens of openings for store detectives were....
Yes, this sounds exactly like TJX. If you take a look at other job descriptions, you'll note they pack everything into it, basically anything one could possibly do in a job. Make the description look like a C-level but call the position "assistant manager" or something of that sort and keep the paygrade as low as possible. That's TJX company policy, about the only policy that seems to be strictly followed and monitored.