Target Corp. announced today that CEO Gregg Steinhafel has stepped down from his position, effective immediately, less than five months after it was discovered the retail giant had been struck by a massive data breach.
The buck ultimately has to stop at the highest level of executives, and if executives don't care about security, there have to be consequences.
vice president, Forrester Research.
Industry observers said Steinhafel's de-facto ouster may be a turning point for enterprise information security's importance in the C-suite, proving that CEOs must take infosec seriously -- or face the consequences.
The Target data breach saga -- resulting in the loss of approximately 40 million payment cards and the personal information of up to 70 million customers -- has embroiled the retail giant since its discovery. Facing dozens of lawsuits, several congressional hearings, and a stock that as of press time had fallen 5.6% this year, Steinhafel seemed unable to move the company past the public relations hit it suffered as a result of the incident.
In a statement this morning, Target's board of directors thanked Steinhafel, a 35-year veteran of the company and CEO since 2008, for his service, and said that current CFO John Mulligan would be taking over as CEO in the interim. Target director Roxanne Austin will assume Steinhafel's board of directors' responsibilities as interim non-executive chair.
"Most recently, Gregg led the response to Target's 2013 data breach. He held himself personally accountable and pledged that Target would emerge a better company," said Target's board in a statement. "We are grateful to him for his tireless leadership and will always consider him a member of the Target family."
Steinhafel's resignation follows on the heels of former Target CIO Beth Jacob's exit in March. Jacob was reportedly the executive meant to be overseeing the company's IT security program, as the company had never created the position of CISO. Bob DeRodes, Jacob's replacement and a long-time tech executive, has been tasked with handling Target's ongoing security efforts, including the hastened switch to a chip-and-pin payment infrastructure.
CEO ouster following breach 'unprecedented'
Mike Rothman, analyst and president for Phoenix-based security consultancy Securosis, said he was "genuinely shocked" by Target's decision to remove Steinhafel, noting that the move to axe a senior executive on the basis of a security incident is practically unprecedented.
"I'm pretty shocked that something like this would take out not just the CIO, but the CEO, and a 35-year guy at Target at that," Rothman said. "I think that retailers are obviously public-facing and are at more risk as a result, but again, you've had so many public-facing companies that went through things like this and the leadership survived. That's something I have not seen."
John Kindervag, vice president and principal analyst at Forrester Research, agreed with Rothman that the resignation of Target's CEO is a unique event for the security industry, but said that such action is long overdue for companies that experience major breaches, particularly when, in his view, executives remain uninterested in implementing proper security procedures.
Target had reportedly deployed top-of-line security equipment from established vendors, including FireEye Inc. and Symantec Corp., and also established around-the-clock security operation centers to manage its security technology, but according to Kindervag, the company's failure to follow the basic tenets of the Payment Card Industry Data Security Standard showed an inability by its now-outgoing execs to take security processes seriously.
Even with the deck stacked against Target's senior leadership, Kindervag said companies would normally look to make a CISO the scapegoat for a major incident. Target had failed to establish a dedicated security figurehead though -- another strike against Steinhafel during his tenure as CEO -- so the company first sacrificed the CIO and, with the effects of the breach still lingering, now the CEO.
"I've often said the CISO was designed to be fired," Kindervag said. "Finally, some company understood that the buck ultimately has to stop at the highest level of executives, and if executives don't care about security, there [has] to be consequences."
The fallout of the Target data breach extends far beyond just the company's ousted executives, according to Chris Eng, vice president of security research at Veracode Inc. C-suiters at organizations across all industries must now be aware that a costly, protracted security incident may well just land them in the hot seat -- and those organizations still lacking a CISO will likely look more intently at creating and filling the position.
Rothman said most CEOs at Fortune 500-level organizations were already in contact with their CISOs just after the Target breach was reported, but with executives finally feeling the consequences of a security letdown, they'll now be seeking assurances that they won't be the next in line.
"When a 35-year guy gets his head cut off because of a security issue," Rothman said, "all of these guys will feel vulnerable."
Target's next move
Eng said Target made a positive move in April when it appointed a security-savvy CIO in tech veteran Bob DeRodes, but that the Fortune 500 retailer has much work to do if it wants to re-establish trust with customers and rebuild its beleaguered security program.
First and foremost, according to Eng, Target must identify a CISO to head up the security program operationally and from a public-facing standpoint, and that would preferably report directly to the CEO. Just as importantly, the company must assess its security program, he said, and should begin by establishing a baseline of its overall security posture.
That means taking stock of its information assets, Eng noted, by determining what software development is going on within the organization, what the company is purchasing, what risks are being assumed with that purchased software, and so on. For a large-scale organization like Target, Eng said he expects that process to take at least one financial quarter, if not longer.
"It's hard to make any specific roadmap for a security program until you figure out how good or bad you are in different areas," Eng said. "With most large organizations, there's no one central place where you can find that; you've got to go around and start piecing everything together.
"The initial compromise came through an HVAC vendor, so Target will have to think about the security of its entire supply chain," Eng added, "but they can't do that until they understand all of the pieces of the puzzle."
Such a lengthy process will just worsen a breach that already costs a staggering amount, according to Kindervag, who had previously noted that the fallout from the incident could cost Target as much as $100 million. Now, he said, the price tag for the breach could rise to $1 billion or more.
Kindervag said other companies should keep that cost in mind when deciding whether to hire a CISO or follow good security practices, because despite many executives seeing security as a cost center, it's generally much cheaper to do things right initially rather than pay the price later.
"The sky is almost the limit," said Kindervag, in attempting to quantify how much Target will have to spend to repair the damage caused by the breach. "They're going to spend orders of magnitude more than they would have spent by doing the right things up front."