How the Target CEO resignation will affect other execs' security views

Experts say the resignation of Target CEO Gregg Steinhafel shows that executives at other companies must now take security seriously -- or else.

Target Corp. announced today that CEO Gregg Steinhafel has stepped down from his position, effective immediately,...

less than five months after it was discovered the retail giant had been struck by a massive data breach.

The buck ultimately has to stop at the highest level of executives, and if executives don't care about security, there have to be consequences.

John Kindervag,
vice president, Forrester Research.

Industry observers said Steinhafel's de-facto ouster may be a turning point for enterprise information security's importance in the C-suite, proving that CEOs must take infosec seriously -- or face the consequences.

The Target data breach saga -- resulting in the loss of approximately 40 million payment cards and the personal information of up to 70 million customers -- has embroiled the retail giant since its discovery. Facing dozens of lawsuits, several congressional hearings, and a stock that as of press time had fallen 5.6% this year, Steinhafel seemed unable to move the company past the public relations hit it suffered as a result of the incident.

In a statement this morning, Target's board of directors thanked Steinhafel, a 35-year veteran of the company and CEO since 2008, for his service, and said that current CFO John Mulligan would be taking over as CEO in the interim. Target director Roxanne Austin will assume Steinhafel's board of directors' responsibilities as interim non-executive chair.

"Most recently, Gregg led the response to Target's 2013 data breach. He held himself personally accountable and pledged that Target would emerge a better company," said Target's board in a statement. "We are grateful to him for his tireless leadership and will always consider him a member of the Target family."

Steinhafel's resignation follows on the heels of former Target CIO Beth Jacob's exit in March. Jacob was reportedly the executive meant to be overseeing the company's IT security program, as the company had never created the position of CISO. Bob DeRodes, Jacob's replacement and a long-time tech executive, has been tasked with handling Target's ongoing security efforts, including the hastened switch to a chip-and-pin payment infrastructure.

CEO ouster following breach 'unprecedented'

Mike Rothman, analyst and president for Phoenix-based security consultancy Securosis, said he was "genuinely shocked" by Target's decision to remove Steinhafel, noting that the move to axe a senior executive on the basis of a security incident is practically unprecedented.

"I'm pretty shocked that something like this would take out not just the CIO, but the CEO, and a 35-year guy at Target at that," Rothman said. "I think that retailers are obviously public-facing and are at more risk as a result, but again, you've had so many public-facing companies that went through things like this and the leadership survived. That's something I have not seen."

John Kindervag, vice president and principal analyst at Forrester Research, agreed with Rothman that the resignation of Target's CEO is a unique event for the security industry, but said that such action is long overdue for companies that experience major breaches, particularly when, in his view, executives remain uninterested in implementing proper security procedures.

Target had reportedly deployed top-of-line security equipment from established vendors, including FireEye Inc. and Symantec Corp., and also established around-the-clock security operation centers to manage its security technology, but according to Kindervag, the company's failure to follow the basic tenets of the Payment Card Industry Data Security Standard showed an inability by its now-outgoing execs to take security processes seriously.

Even with the deck stacked against Target's senior leadership, Kindervag said companies would normally look to make a CISO the scapegoat for a major incident. Target had failed to establish a dedicated security figurehead though -- another strike against Steinhafel during his tenure as CEO -- so the company first sacrificed the CIO and, with the effects of the breach still lingering, now the CEO.

"I've often said the CISO was designed to be fired," Kindervag said. "Finally, some company understood that the buck ultimately has to stop at the highest level of executives, and if executives don't care about security, there [has] to be consequences."

The fallout of the Target data breach extends far beyond just the company's ousted executives, according to Chris Eng, vice president of security research at Veracode Inc. C-suiters at organizations across all industries must now be aware that a costly, protracted security incident may well just land them in the hot seat -- and those organizations still lacking a CISO will likely look more intently at creating and filling the position.

Rothman said most CEOs at Fortune 500-level organizations were already in contact with their CISOs just after the Target breach was reported, but with executives finally feeling the consequences of a security letdown, they'll now be seeking assurances that they won't be the next in line.

"When a 35-year guy gets his head cut off because of a security issue," Rothman said, "all of these guys will feel vulnerable."

Target's next move

Eng said Target made a positive move in April when it appointed a security-savvy CIO in tech veteran Bob DeRodes, but that the Fortune 500 retailer has much work to do if it wants to re-establish trust with customers and rebuild its beleaguered security program.

First and foremost, according to Eng, Target must identify a CISO to head up the security program operationally and from a public-facing standpoint, and that would preferably report directly to the CEO. Just as importantly, the company must assess its security program, he said, and should begin by establishing a baseline of its overall security posture.

That means taking stock of its information assets, Eng noted, by determining what software development is going on within the organization, what the company is purchasing, what risks are being assumed with that purchased software, and so on. For a large-scale organization like Target, Eng said he expects that process to take at least one financial quarter, if not longer.

"It's hard to make any specific roadmap for a security program until you figure out how good or bad you are in different areas," Eng said. "With most large organizations, there's no one central place where you can find that; you've got to go around and start piecing everything together.

"The initial compromise came through an HVAC vendor, so Target will have to think about the security of its entire supply chain," Eng added, "but they can't do that until they understand all of the pieces of the puzzle."

Such a lengthy process will just worsen a breach that already costs a staggering amount, according to Kindervag, who had previously noted that the fallout from the incident could cost Target as much as $100 million. Now, he said, the price tag for the breach could rise to $1 billion or more.

Kindervag said other companies should keep that cost in mind when deciding whether to hire a CISO or follow good security practices, because despite many executives seeing security as a cost center, it's generally much cheaper to do things right initially rather than pay the price later.

"The sky is almost the limit," said Kindervag, in attempting to quantify how much Target will have to spend to repair the damage caused by the breach. "They're going to spend orders of magnitude more than they would have spent by doing the right things up front."

Dig Deeper on Identity Theft and Data Security Breaches

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

4 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

If our efforts to protect the security of personal information about our guests and team members are unsuccessful, we could be subject to costly government enforcement actions and private litigation and our reputation could suffer.

The nature of our business involves the receipt and storage of personal information about our guests and team members. We have a program in place to detect and respond to data security incidents. To date, all incidents we have experienced have been insignificant. If we experience a significant data security breach or fail to detect and appropriately respond to a significant data security breach, we could be exposed to government enforcement actions and private litigation. In addition, our guests could lose confidence in our ability to protect their personal information, which could cause them to discontinue usage of REDcards, decline to use our pharmacy services, or stop shopping with us altogether. The loss of confidence from a significant data security breach involving team members could hurt our reputation, cause team member recruiting and retention challenges, increase our labor costs and affect how we operate our business.

- Target Corporation, 2012 Securities and Exchange Commission Form 10-K, Page 7
Cancel
"The sky is almost the limit," said Kindervag, in attempting to quantify how much Target will have to spend to repair the damage caused by the breach. "They're going to spend orders of magnitude more than they would have spent by doing the right things up front."

Just like BP after the Deepwater Horizon disaster. They could have spent about a million or two million dollars to prevent the spill, but BP has a habit of not spending money on safety, and as a result it cost BP 35 billion dollars to not spend the one or two million in the first place.
Cancel
Judgement day has arrived. Booting the CIO was the thing to do in the past, now punishment will be shared across the C-Suite.

CCO (Chief Compliance Officer)
CEO (Chief Executive Officer)
CIO (Chief Information Officer)
CFO (Chief Financial Officer)
CKO (Chief Knowledge Officer)
CSO (Chief Security Officer)
CDO (Chief Data Officer)
CVO (Chief Visionary Officer)
CPIO (Chief Process and Innovation Officer)
CMO (Chief Marketing Officer)

If its proven that CFO's didn't loosen the purse strings for security enhancements and a significant breach occurs, say goodnight.

If the CTO, CSO didn't sound the technology alarm bell, say goodnight.

Ladies and Gentlemen, this is now a shared corporate responsibility, its just that serious.
Cancel
Made this decision in an effort to recapture consumer confidence following the security breach
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close