Target CIO's Resignation: 7 QuestionsAfter the data breach, why didn't the buck stop with PCI assessors or CEO? Search for accountability reveals flawed system, much finger-pointing.
9 Notorious Hackers Of 2013
(click image for larger view and for slideshow)
Pop quiz for discount retailers who suffer a high-profile data breach that impacts millions of customers, weakens sales, shaves a few points off of your stock price, and may cost your company hundreds of millions of dollars to clean up: What happens next?
For Target, that would be the departure of CIO Beth Jacob, who announced Wednesday -- in a letter to Gregg Steinhafel, Target's chairman, president, and CEO -- that she was resigning "effective immediately." The same day, Steinhafel said in a statement that Target planned to make a number of technology, information security, and compliance changes, and to hire an "interim CIO" to oversee that transition.
To be clear, Jacob was in charge of IT for a retailer that fell victim to a hack attack that resulted in 40 million credit and credit cards and personal information on 70 million customers being compromised. But was she unfairly forced out? And does an episode like this mean the end of a CIO's career?
Here are seven related points to consider:
1. Did Target make CIO a scapegoat?
Some people think Target's management team jettisoned Jacob, finding her a convenient scapegoat. "Target has been obviously impacted. People are questioning Target's security. And she was the fall guy," Walter Loeb, a New York-based independent retail consultant, told The Christian Science Monitor.
[For more on Target's shifting management team, read Target Seeks New CIO.]
But for information security industry veteran Ted Julian, who serves as chief marketing officer at incident response firm Co3 Systems, the end of Jacob's Target tenure wasn't a surprise. "Under these circumstances, it's pretty standard, if for no other reason than optically it just shows the company taking action. It allows them to get someone new with some new ideas and enthusiasm and excitement that can be shown to make aggressive changes," he said, speaking by phone.
Still, her post-breach departure was relatively rapid. "It is pretty typical for the CIO to take the fall, though typically not this quickly," Gartner analyst Avivah Litan said, speaking by phone. "The buck typically stops with the CIO, even though it should stop with the CEO."
On the other hand, according to recent studies, a CIO's job tenure lately lasts, on average, about six years. By that measure, Jacob's five years in the job rates as just about the norm.
2. Before the breach: Were warning signs ignored?
One frequent topic of conversation at last week's RSA conference in San Francisco involved a February 2014 Wall Street Journal report that Target staff had warned management that the retailer was at risk of having its POS systems compromised, at least two months prior to the breach.
But more than one RSA panel participant cautioned that it would be the rare information security team that wasn't sounding some types of alerts. The Journal's report also offered no signal-to-noise assessment of what other types of warnings that Target's CIO and senior management team may have received or acted upon.
"For every single breach I've been aware of, the alarms went off, but if you're getting one serious alarm buried in 10,000 or 100,000 alarms, it's hard to pick it out," Litan said. "There's so much noise, it's a lot like the patches on Windows or Internet Explorer -- here's another bug that was discovered, or certificate that was expired. You just get immunity."
Of course, some businesses seem complicit in their data breaches. Sony, for example, laid off most of its security staff in 2011 and was subsequently hacked more than a dozen times. But Target doesn't appear to have skimped on information security. "Here's what we do know: this was not an anemic security department that lacked staff or resources," Co3's Julian said. "That's not to say that maybe they shouldn't have more, but... this looks to be a well-funded, highly competent group, with extensive rapport across Target and the industry."
3. Will IT reboot better secure Target?
Target is now shopping for a new interim CIO and has hired consulting firm Promontory Financial Group to offer technology, staffing, and business process advice for the retailer's IT, information security, compliance, and risk-management reboot.
Instead of splitting information security responsibilities being between several people, Target will also look externally to hire its first-ever CISO as well as its first-ever chief compliance officer. The latter role was previously overseen by Ann Scovil, Target's VP of risk assurance and compliance, who has long planned to retire at the end of this month, the Wall Street Journal reported.
Asked about how the company planned to now handle risk management -- and whether it would designate a chief risk officer -- Target spokeswoman Molly Snyder said via email, "We haven't provided any additional details on that to date."
Former Target CIO Beth Jacob
4. Target's vacant technology jobs: caveat emptor?
In 2008, with the Great Recession gaining force, Jon Stewart famously asked then-presidential candidate Barack Obama: "With the kind of issues that face the country now... is there a sense that you don't want this?"
Might the same cautionary note be sounded for anyone
Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.
View Full Bio
1 of 2