News that the CEO of Target resigned broke as we prepped to record the latest edition of the Down the Rabbithole (DtR) podcast (listen to the episode here). Naturally, we covered it. Our discussion is a bit of a departure from initial reactions.
Some of the initial mentions on social media celebrated this as a 'win' for security. That's both bad form and likely wrong. Celebrating someone losing their job - especially after 35 years of service - is tacky. This is not a smart strategy to advance the security industry and demonstrate alignment.
Taking a different view on this story, however, provides useful insights into how to expand the role of security in the modern, evolving enterprise.
What if claiming breach is just a cover?
As breaches continue to form part of our new reality, organizations are learning how they factor into earnings, news, and major announcements.
The official statement from the board (on WSJ.com)d held two passages I found of interest.
"The board is deeply grateful... He also led the company through unprecedented challenges, navigating the financial recession, reacting to challenges with Target's expansion into Canada, and successfully defending the company through a high-profile proxy battle."
That sentence was buried in the paragraph. Then after an eye-catching space, the breach is singled out:
"Most recently, Gregg led the response to Target's 2013 data breach. He held himself personally accountable and pledged that Target would emerge a better company."
Without a doubt, news and discussion of the breach has dominated the web and television since December. Given the draw of security headlines, it makes sense to see a series of headlines suggest the departure was "in the wake of a massive breach."
However, the struggle through and out of the recession, expansion into new markets, and attempts to change some internal offerings seems to hold more sway than the breach. Besides, despite the hype from the sheer size of the breach, the actual harm continues to evade discussion (read more here).
Sometimes companies use a breach as an opportunity to renew focus on security and resolve to do even better. Those CEOs tend to stick around. Target has committed $100M to implementing Chip and PIN; the proof this investment will generate a positive return is a bit flimsy (read more about if Chip and PIN actually solves the problem here). Curious if or how this factors into the story a few years removed.
In the meantime, citing a data breach is either compelling news or smart cover. In the case of Target, it seems other factors were at play.
Target is not the new example (not yet)
While the case at Target captured attention, the resignations and fall-outs are not necessarily the new face of data breach.
One anecdote with a company struggling to recover from the recession and expand into new markets does not a precedent make. At least, it's too soon to declare it.
An interesting finding in the LA Times report noted "The company's board has been meeting with Steinhafel monthly instead of quarterly to oversee Target's response to the breach."
As with the potential to use "data breach" as a cover, it's hard to tell, for certain, if the monthly meetings were entirely focused on coordinating the response. It may have been a convenient way to get more insight into the financials without causing undue attention in the marketplace.
Maybe I read too much fiction.
Because it's hard to tell, it's dangerous to declare the resignation of the CEO as a "win" for security.
However, now that a board has used security as a reason to convene more frequently, perhaps it creates an opportunity. Perhaps directors and executives see this as a need to place more emphasis on (understanding) security and compliance.
Why Target could be the new model (and worth watching)
We want people to take security seriously. The business wants security to take the business seriously. The opportunity lies in aligning the interests of the business with the efforts of the security team.
As we evolve, we must focus on the need to take friction out of communication. By aligning security resources to protect the value of the business, everyone wins. We're all on the same team.
As such, Target is worth continued watching (probably to their dismay). They just announced a new CIO, an outsider. They are publicly looking for a new CISO and a new director of compliance. And now, they are looking for a new CEO.
As the new team comes together, this is a real opportunity to affect change broader than security. Often, when people talk about "changing the culture," they simplify a complex process too much. What actually happens is a gradual shifting of behaviors and shaping of the culture. It's more evolution than change -- while it's happening.
If the new team gets it right, they'll work through a series of distinct elements, including:
- Creating awareness (the right definition) between actions and impacts; they'll also work to connect people to the value of the new/revised vision and the importance of each individual in the company
- Building and offering regular experiences that allow individuals to convert information into understanding.
- Making the necessary structural and organizational changes to influence behavior matched to expected outcomes
At the outset, bringing in a new team seems like a smart strategy for Target. They need to focus on the core of the business while publicly looking to rebuild a culture that considers security.
It takes thought, training, and skillful execution. It takes time. Stay tuned and look for future lessons we can all apply.
While considering the future, take these actions today
18 months from now should be an interesting time to check on how Target is doing. A true evolution of their culture is more likely a 3-5 year experience.
What it means for us in the meantime is the consideration - and recalibration - of our vision for success. Some questions to start the conversation include:
- What does it mean for us in security to be part of the company, of the culture?
- What role does security play in shifting behaviors and shaping the culture?
- What outcomes do we seek? How do those outcomes align with what is most important to the business?
By all means, use Target to generate discussions. While the resignation of the CEO may have little to do with the security breach, it still is a great way to talk about the importance of security in your organization.Just be careful celebrating the fall of someone who served a company for 35 years.
Seek alignment and embark on the journey for needed changes -- hopefully without a highly public data breach and changing of the guard. Use the changes in Target as way to engage in healthy discussion about how security can better protect the business -- and the executives that lead it.