• United States



Target CEO resignation highlights cost of security blunders

May 05, 20144 mins
CybercrimeData and Information SecurityGovernment

Chief Executive Gregg Steinhafel's fall will heighten the attention CEOs in retail give to C-level security pros

The massive data breach that tarnished the career of Target Chief Executive Gregg Steinhafel and contributed to his resignation is a reminder of the worst-case scenario facing CEOs caught in a security SNAFU.

The theft of 10s of millions of credit-card numbers and customer records during last year’s holiday season was not the only reason for Steinhafel’s ouster Monday. Other blunders included heavy losses suffered in a push into Canada and continuing weakness in foot traffic in stores as people do more shopping online.

Nevertheless, the breach announced last December that damaged the retailer’s reputation and was behind a drop in sales during the busiest shopping season of the year was certainly a major contributor to Steinhafel stepping down.

“The breach was the straw that broke the camel’s back,” Avivah Litan, analyst for Gartner, said.

The Target cyberattack, which was followed by intense media and congressional attention, was a “watershed event” for the retail industry, Litan said. Since then, CEOs have built closer ties to chief security officers, often having CSOs report directly to them.

“The Target breach did that (tighten the relationship) more than anything else I’ve seen in the retail industry,” Litan said.

Other industry sectors have had their own catalysts for elevating the role of the CSO in business development. In the financial sector, the turning point were the 2012 distributed denial of service attacks by Iranian hacktivists that lasted for several months. For government agencies, it was former contractor Edward Snowden releasing sensitive documents last year on Internet spying by the U.S. National Security Agency.

Taken together, these events have drummed security in the consciousness of many CEOs.

“There’s been a sea change in attitude among C-level executives in the last year,” Litan said.

The lesson learned by Steinhafel’s resignation is “you can no longer pin a major security event on a CISO (chief information security officer) or CIO (chief information officer) alone,” Craig Carpenter, chief cybersecurity strategist for AccessData, said.

“If it hits the brand, then it’s going to go to the very top,” Carpenter said.

In the case of Target, CIO Beth Jacob left in March as a result of the breach fallout. Bob DeRodes, a former adviser to the U.S. Department of Homeland Security, replaced her last month.

Experts agree that C-level security officers should report directly to chief executives, rather than to the CIO.

“This is often a good idea, as it gives that executive (CSO, CISO) a degree of objectivity and independence internally, and it ensures that that person will have the credibility and weight of opinion in board meetings,” Peter High, president of CIO advisory firm Metis Strategy, said in an opinion piece for Forbes.

Company boards should invite C-level security pros to business development discussions, in order to get the security implications of decisions, High said.

The financial services and tech industries are examples of sectors where it is not unusual for security to be a part of board-level discussions, Litan said. In other sectors, such as retail, board members are less technologically savvy and usually leave security responsibilities with the CEO.

“In most cases, they just want a one-paragraph summary that everything is taken care of,” Litan said. “They don’t know enough to micromanage. They don’t even know what questions to ask.”

Indeed, a recent Ponemon Institute survey of nearly 5,000 IT security professionals in the U.S. and 14 other countries found that eight in 10 did not believe that board-level executives understood the risks associated with losing sensitive data.

In Target’s case, the company reported spending $61 million in the fourth quarter alone in dealing with the breach.

Target executives have acknowledged that security pros failed to heed early warnings in detection systems in November that attackers had broke into its computer systems. The company did not start investigating until December when federal authorities notified Target of suspicious activity on its networks.