Target CIO's Resignation: 7 QuestionsAfter the data breach, why didn't the buck stop with PCI assessors or CEO? Search for accountability reveals flawed system, much finger-pointing.
considering CIO, CISO, or chief compliance officer roles at Target? "The moral of this story is, if you're in IT, don't go into retail," said Gartner's Litan. "Although the attackers are going everywhere," she added, noting that the retail industry is hardly the only sector being pummeled.
5. Will payment industry step up to stop POS malware?
Target's technology and risk reorganization aside, Litan said that the relative ease with which attackers can compromise POS systems doesn't only come down to the health of a retailer's information security program. "It's unfair to expect retailers to be able to fight this type of sophisticated malware," she said. "Even the security companies miss this type of malware." Litan continued, "It's really the payment systems themselves that have to change." Don't expect a working solution to the problem unless the payment card industry steps up.
6. Will PCI assessors take responsibility?
Likewise, part of the blame for Target's breach may lie with whichever Payment Card Industry Qualified Security Assessor (PCI QSA) certified Target as being compliant with the Payment Card Industry Data Security Standards (PCI DSS). "What about the QSA? No one ever talks about these PCI assessors," Litan pointed out.
She also criticized PCI assessors for having language in their contracts that precludes them from being held liable if a certified business they've certified as PCI-compliant later suffers a breach. "Why should the assessors escape liability? They're the third-party experts who are certified to achieve PCI compliance -- the CIO never went through PCI certification," Litan said. "That's why this process is so flawed. It's just stacked against the retailers and stacked for the banks and PCI players. They don't lose anything from these breaches, except for public reputation."
7. Life after Target for Jacob?
With Jacob's tenure as Target's CIO finished, will the retailer's data breach ruin her future career prospects? Co3's Julian said that in fact, the opposite will likely be true. "Frankly, it's been proven that the speaker's circuit is a great place -- honestly -- for people to talk about the experience, and lessons learned, and all the rest," he said. "On top of that, often these people end up at a different CIO gig, or at some type of a consultancy, so this is not necessarily career-limiting at all."
Engage with Oracle president Mark Hurd, NFL CIO Michelle McKenna-Doyle, General Motors CIO Randy Mott, Box founder Aaron Levie, UPMC CIO Dan Drawbaugh, GE Power CIO Jim Fowler, and other leaders of the Digital Business movement at the InformationWeek Conference and Elite 100 Awards Ceremony, to be held in conjunction with Interop in Las Vegas, March 31 to April 1, 2014. See the full agenda here.
Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.
View Full Bio
2 of 2