What’s more important: the loss or theft of information about running shoe purchases, or the credit card details involved in all kinds of other transactions?
That probably isn’t a fair question, but I couldn’t help thinking it when I read the recent news about a legal battle involving Nike and Mastercard over IT security talent. According to a story published in the Wall Street Journal, Mastercard is suing the footwear and athletic apparel maker over allegations its former chief information security officer (CISO) not only left to join Nike but began taking some of his best and brightest with him:
MasterCard is asking for an injunction to stop Nike from recruiting its employees. The company is also seeking at least $5 million in monetary damage due to existing breaches. ‘Despite MasterCard’s requests to cease, Nike continued, with the assistance of the former employees to solicit and hire seven more information security employees from MasterCard in a span of just six months,’ said a MasterCard spokesman in an email.
Of course, after major incidents involving Target, TJ Maxx, Home Depot and other major retailers, it’s no surprise Nike, which owns and operates its own stores, would be interested in the CISO of Mastercard and those who worked with him to help protect critical financial data. With the Sony Pictures Entertainment hacking attack, possible state-sponsored attacks on Canada’s government and other data breaches, the ever-fierce war for IT security talent may soon be divided upon vertical market lines.
Beyond the deep pockets necessary to pay such CISOs and their staff handsomely, I suspect what will ultimately motivate security talent to stay or leave an organization will be similar to that of almost any other employee, and it comes down to a single question: “Are the problems to be solved worth solving, and can I learn and develop myself by solving them?”
Right now, given how many retailers consumer-oriented companies are proving to be a major target for cyber-attacks, those recruiting in that space may have a considerable advantage. However, with wearables and the Internet of Things potentially introducing ever-greater risk vectors into everyday life, there will be no shortage of opportunities for security professionals to consider.
As a result, non-compete, non-disclosure and non-solicitation clauses may look like the answer to some organizations today, but employees that don’t want to feel trapped may decide to bypass the firms that insist on them. Ultimately, the challenge here is to ensure that the “tribal knowledge” around a given organization’s security posture is the No. 1 thing business leaders strive to retain. That’s easier said than done, but figuring out the right approach should take precedence over mere investment in IT security technologies. As Nike might say, just do it.