Target CEO resignation highlights cost of security blunders

Antone Gonsalves

The massive data breach that tarnished the career of Target Chief Executive Gregg Steinhafel and contributed to his resignation is a reminder of the worst-case scenario facing CEOs caught in a security SNAFU.

The theft of 10s of millions of credit-card numbers and customer records during last year's holiday season was not the only reason for Steinhafel's ouster Monday. Other blunders included heavy losses suffered in a push into Canada and continuing weakness in foot traffic in stores as people do more shopping online.

Nevertheless, the breach announced last December that damaged the retailer's reputation and was behind a drop in sales during the busiest shopping season of the year was certainly a major contributor to Steinhafel stepping down.

"The breach was the straw that broke the camel's back," Avivah Litan, analyst for Gartner, said.

The Target cyberattack, which was followed by intense media and congressional attention, was a "watershed event" for the retail industry, Litan said. Since then, CEOs have built closer ties to chief security officers, often having CSOs report directly to them.

"The Target breach did that (tighten the relationship) more than anything else I've seen in the retail industry," Litan said.

Other industry sectors have had their own catalysts for elevating the role of the CSO in business development. In the financial sector, the turning point were the 2012 distributed denial of service attacks by Iranian hacktivists that lasted for several months. For government agencies, it was former contractor Edward Snowden releasing sensitive documents last year on Internet spying by the U.S. National Security Agency.

Taken together, these events have drummed security in the consciousness of many CEOs.

"There's been a sea change in attitude among C-level executives in the last year," Litan said.

The lesson learned by Steinhafel's resignation is "you can no longer pin a major security event on a CISO (chief information security officer) or CIO (chief information officer) alone," Craig Carpenter, chief cybersecurity strategist for AccessData, said.

"If it hits the brand, then it's going to go to the very top," Carpenter said.

In the case of Target, CIO Beth Jacob left in March as a result of the breach fallout. Bob DeRodes, a former adviser to the U.S. Department of Homeland Security, replaced her last month.

Experts agree that C-level security officers should report directly to chief executives, rather than to the CIO.

"This is often a good idea, as it gives that executive (CSO, CISO) a degree of objectivity and independence internally, and it ensures that that person will have the credibility and weight of opinion in board meetings," Peter High, president of CIO advisory firm Metis Strategy, said in an opinion piece for Forbes.

1  2  Next Page