CIO not the only one to blame for Target breach

Beth Jacob's resignation not surprising, but disappointing analysts say

That someone had to take the fall for the massive breach at Target is neither surprising nor unexpected. The only question is whether more heads will roll in the aftermath of one the biggest data compromises in retail history.

Target on Wednesday announced that Beth Jacob, its CIO of more than five years, had resigned. The move comes less than two months after the retail giant disclosed it had suffered a data breach that exposed sensitive data on more than 40 million credit and debit cards.

Later, the company announced that emails, addresses and other information on another 70 million people might also have been exposed as the result of the intrusion, which occurred over the 2013 Thanksgiving weekend.

In a statement to the Associated Press, Target CEO Gregg Steinhafel said the company is searching for an interim CIO to help it through an information security overhaul that began after the breach.

Target is also elevating the role of the CISO and is looking for a chief compliance officer as part of the transformation effort.

Such moves are not that unusual for organizations that have suffered major breaches. In the past few years several CIOs and technology executives have been held similarly accountable for security lapses.

In 2012, the executive director of Utah's Department of Technology Services was forced to resign over a data breach that exposed the Social Security numbers and other personal data of about 280,000 Medicaid recipients. Utah Gov. Gary Herbert cited a lack of "oversight and leadership" in seeking the resignation.

In 2006, Maureen Govern, AOL's chief technology officer, quit her job in the aftermath of a disclosure that the company had publicly released data on searches done by about 650,000 of its online subscribers. Two employees in the company's research division, which was responsible for the release of the data, were let go.

That same year, Ohio University's CIO William Sams resigned from his job and two top IT managers were sacked following a series of data breaches.

Jacob's fate was even more likely given the scope and the nature of the Target compromise.

The breach, which is still under investigation, is sure to cost Target hundreds of millions of dollars in remediation costs, lawsuits, fines and legal fees.

Even so, the development is unfortunate, said Gartner analyst Avivah Litan.

"You almost have to be a superhuman with 25 hours a day to spend on security issues to be an effective large retailer CIO these days. And that simply doesn't exist," Litan said.

It is also surprising that the company that assessed Target's compliance with the Payment Card Industry Data Security Standard is not taking some responsibility, she said. Target suffered the breach despite being certified as being PCI compliant.

"I don't understand why the qualified PCI security assessor is totally off the hook in this case," Litan noted. "CIOs rightfully rely on [qualified security assessors] to certify PCI compliance," Litan said. "Sure the standard response is 'well things change between annual assessments'," she said. "Yes they do, but that's a big copout on the QSA's part if you ask me."

Jim Huguelet, an independent retail security consultant, expressed surprise at Jacob's timing. "She did not tender her resignation in the days or weeks immediately following the disclosure when the pressure was most acute," he noted. Jacob also didn't wait longer to put some distance between the event and her departure, he said.

"She does not appear to have a professional background in information technology, so perhaps she felt it was appropriate to allow someone with a deeper technical background to lead their IT organization through the coming months and years of the work ahead of them," Huguelet said.

The Target incident underscores the need for technology executives to keep CEOs and the entire board abreast of cybersecurity developments at all times, said Chris Pierson, chief security officer at Viewpost.

"We as an industry need to improve how we communicate that breaches are not 100% preventable and need the people, tech and processes to handle these sophisticated threats," he said. "This is a cyber, law, privacy, and risk issue that touches everyone and must be addressed holistically."

This article, CIO not the only one to blame for Target breach, was originally published at

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

See more by Jaikumar Vijayan on

Read more about data security in Computerworld's Data Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags retaildata securityNetworkingsecurityindustry verticalsCIOdata protectionTargetmanagement

More about AOLGartnerTechnologyTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place