The US retail giant Target has had their Chairman, President and CEO Gregg Steinhafel step down “effective immediately" as a component of the post breach clean up and in response to declining numbers. This is five months after the breach. We have seen the company fall on their sword and admit that there were mistakes. We have seen a new CIO join the company in Bob DeRodes. Change was inevitable.
From Target Press Release:
He [Steinhafel] also led the company through unprecedented challenges, navigating the financial recession, reacting to challenges with Target’s expansion into Canada, and successfully defending the company through a high-profile proxy battle.
Most recently, Gregg led the response to Target’s 2013 data breach. He held himself personally accountable and pledged that Target would emerge a better company. We are grateful to him for his tireless leadership and will always consider him a member of the Target family.
The writing was on the wall.
We have seen the exit now for the CIO and the CEO of Target but, what of the CISO? Well, apparently there wasn't one. Not officially at least.
From the Star Tribune:
Brenda Bjerke, Target’s senior director for information protection, held some of the responsibilities of a chief information security officer, but was not a chief information security officer, she said.
What an odd quote. So, Target is now searching for a CISO.
Anyway, just last week Target posted an update as to what they’re doing to ensure that there isn’t an encore breach performance. They are “enhancing monitoring and logging” and I will not kick them while they’re down. Target is implementing application white listing on their point of sale systems as well as improving their network segmentation. They have also disabled access for third party vendors into their network using FTP and Telnet. Some security fundamentals that seem to have fallen by the wayside.
An armchair quarterback can sit back and pound their chest saying “See, I told ya.” But, the reality in a large corporation such as this there is often a need for a significant event in order to affect change. To borrow from Newton’s First Law, An object at rest stays at rest and an object in motion stays in motion with the same speed and in the same direction unless acted upon by an unbalanced force. We have seen a significant breach and falling retail numbers. Target has been acted upon and is now in motion. They can only move forward from this point.
That being said, it can be surmised that the breach was little more than a diversion to remove the current CEO for a series of missteps. One can well imagine that every CISOs the world over are in their bosses office today explaining why the Target breach won’t happen to them.
Now, brace yourself. The CEO related security sales pitches are coming.
(Image used under CC from Erika)