Target CEO resignation highlights cost of security blunders

The massive data breach that tarnished the career of Target Chief Executive Gregg Steinhafel and contributed to his resignation is a reminder of the worst-case scenario facing CEOs caught in a security SNAFU.

The theft of 10s of millions of credit-card numbers and customer records during last year's holiday season was not the only reason for Steinhafel's ouster Monday. Other blunders included heavy losses suffered in a push into Canada and continuing weakness in foot traffic in stores as people do more shopping online.

Nevertheless, the breach announced last December that damaged the retailer's reputation and was behind a drop in sales during the busiest shopping season of the year was certainly a major contributor to Steinhafel stepping down.

"The breach was the straw that broke the camel's back," Avivah Litan, analyst for Gartner, said.

The Target cyberattack, which was followed by intense media and congressional attention, was a "watershed event" for the retail industry, Litan said. Since then, CEOs have built closer ties to chief security officers, often having CSOs report directly to them.

"The Target breach did that (tighten the relationship) more than anything else I've seen in the retail industry," Litan said.

Other industry sectors have had their own catalysts for elevating the role of the CSO in business development. In the financial sector, the turning point were the 2012 distributed denial of service attacks by Iranian hacktivists that lasted for several months. For government agencies, it was former contractor Edward Snowden releasing sensitive documents last year on Internet spying by the U.S. National Security Agency.

Taken together, these events have drummed security in the consciousness of many CEOs.

"There's been a sea change in attitude among C-level executives in the last year," Litan said.

The lesson learned by Steinhafel's resignation is "you can no longer pin a major security event on a CISO (chief information security officer) or CIO (chief information officer) alone," Craig Carpenter, chief cybersecurity strategist for AccessData, said.

"If it hits the brand, then it's going to go to the very top," Carpenter said.

In the case of Target, CIO Beth Jacob left in March as a result of the breach fallout. Bob DeRodes, a former adviser to the U.S. Department of Homeland Security, replaced her last month.

Experts agree that C-level security officers should report directly to chief executives, rather than to the CIO.

"This is often a good idea, as it gives that executive (CSO, CISO) a degree of objectivity and independence internally, and it ensures that that person will have the credibility and weight of opinion in board meetings," Peter High, president of CIO advisory firm Metis Strategy, said in an opinion piece for Forbes.

Company boards should invite C-level security pros to business development discussions, in order to get the security implications of decisions, High said.

The financial services and tech industries are examples of sectors where it is not unusual for security to be a part of board-level discussions, Litan said. In other sectors, such as retail, board members are less technologically savvy and usually leave security responsibilities with the CEO.

"In most cases, they just want a one-paragraph summary that everything is taken care of," Litan said. "They don't know enough to micromanage. They don't even know what questions to ask."

Indeed, a recent Ponemon Institute survey of nearly 5,000 IT security professionals in the U.S. and 14 other countries found that eight in 10 did not believe that board-level executives understood the risks associated with losing sensitive data.

In Target's case, the company reported spending $61 million in the fourth quarter alone in dealing with the breach.

Target executives have acknowledged that security pros failed to heed early warnings in detection systems in November that attackers had broke into its computer systems. The company did not start investigating until December when federal authorities notified Target of suspicious activity on its networks.

Join the CSO newsletter!

Error: Please check your email address.

Tags business issuescyber attacksRetailer breachesindustry verticalsTarget data breachTargetcyberattackspersonnelretailespionageretail securitysecuritydata breachTarget breachMalware and Vulnerabilitie

More about AccessDataCSOGartnerNational Security Agency

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place