Target CIOs Resignation: 7 Questions

After the data breach, why didnt the buck stop with PCI assessors or CEO? Search for accountability reveals flawed system, much finger-pointing.

Pop quiz for discount retailers who suffer a high-profile data breach that impacts millions of customers, weakens sales, shaves a few points off of your stock price, and may cost your company hundreds of millions of dollars to clean up: What happens next?
For Target, that would be the departure of CIO Beth Jacob, who announced Wednesday -- in a letter to Gregg Steinhafel, Targets chairman, president, and CEO -- that she was resigning effective immediately. The same day, Steinhafel said in a statement that
Target planned to make a number of technology, information security, and compliance changes
, and to hire an interim CIO to oversee that transition.
To be clear, Jacob was in charge of IT for a retailer that fell victim to a hack attack that resulted in 40 million credit and credit cards and personal information on 70 million customers being compromised. But was she unfairly forced out? And does an episode like this mean the end of a CIOs career?
Here are seven related points to consider:
1. Did Target make CIO a scapegoat?
Some people think Targets management team jettisoned Jacob, finding her a convenient scapegoat. Target has been obviously impacted. People are questioning Targets security. And
she was the fall guy
, Walter Loeb, a New York-based independent retail consultant, told The Christian Science Monitor.
[For more on Targets shifting management team, read
Target Seeks New CIO
.]
But for information security industry veteran Ted Julian, who serves as chief marketing officer at incident response firm Co3 Systems, the end of Jacobs Target tenure wasnt a surprise. Under these circumstances, its pretty standard, if for no other reason than optically it just shows the company taking action. It allows them to get someone new with some new ideas and enthusiasm and excitement that can be shown to make aggressive changes, he said, speaking by phone.
Still, her post-breach departure was relatively rapid. It is pretty typical for the CIO to take the fall, though typically not this quickly, Gartner analyst Avivah Litan said, speaking by phone. The buck typically stops with the CIO, even though it should stop with the CEO.
On the other hand, according to recent studies, a CIOs job tenure lately lasts, on average, about six years. By that measure, Jacobs five years in the job rates as just about the norm.
2. Before the breach: Were warning signs ignored?
One frequent topic of conversation at last weeks RSA conference in San Francisco involved a February 2014 Wall Street Journal report that Target staff had warned management that the
retailer was at risk
of having its POS systems compromised, at least two months prior to the breach.
But more than one RSA panel participant cautioned that it would be the rare information security team that wasnt sounding some types of alerts. The Journals report also offered no signal-to-noise assessment of what other types of warnings that Targets CIO and senior management team may have received or acted upon.
For every single breach Ive been aware of, the alarms went off, but if youre getting one serious alarm buried in 10,000 or 100,000 alarms, its hard to pick it out, Litan said. Theres so much noise, its a lot like the patches on Windows or Internet Explorer -- heres another bug that was discovered, or certificate that was expired. You just get immunity.
Of course, some businesses seem complicit in their data breaches. Sony, for example, laid off most of its security staff in 2011 and was subsequently
hacked more than a dozen times
. But Target doesnt appear to have skimped on information security. Heres what we do know: this was not an anemic security department that lacked staff or resources, Co3s Julian said. Thats not to say that maybe they shouldnt have more, but... this looks to be a well-funded, highly competent group, with extensive rapport across Target and the industry.
3. Will IT reboot better secure Target?
Target is now shopping for a new interim CIO and has hired consulting firm Promontory Financial Group to offer technology, staffing, and business process advice for the retailers IT, information security, compliance, and risk-management reboot.
Instead of splitting information security responsibilities being between several people, Target will also look externally to
hire its first-ever CISO
as well as its first-ever chief compliance officer. The latter role was previously overseen by Ann Scovil, Targets VP of risk assurance and compliance, who has
long planned to retire
at the end of this month, the Wall Street Journal reported.
Asked about how the company planned to now handle risk management -- and whether it would designate a chief risk officer -- Target spokeswoman Molly Snyder said via email, We havent provided any additional details on that to date.
Figure 1:
Former Target CIO Beth Jacob
4. Targets vacant technology jobs: caveat emptor?
In 2008, with the Great Recession gaining force, Jon Stewart famously asked then-presidential candidate Barack Obama: With the kind of issues that face the country now... is there a sense that you dont want this?
Might the same cautionary note be sounded for anyone
Next Page
considering CIO, CISO, or chief compliance officer roles at Target? The moral of this story is, if youre in IT, dont go into retail, said Gartners Litan. Although the attackers are going everywhere, she added, noting that the retail industry is hardly the only sector being pummeled.
5. Will payment industry step up to stop POS malware?
Targets technology and risk reorganization aside, Litan said that the relative ease with which attackers can compromise POS systems doesnt only come down to the health of a retailers information security program. Its unfair to expect retailers to be able to fight this type of sophisticated malware, she said. Even the security companies miss this type of malware. Litan continued, Its really the payment systems themselves that have to change. Dont expect a working solution to the problem unless the payment card industry steps up.
6. Will PCI assessors take responsibility?
Likewise, part of the blame for Targets breach may lie with whichever Payment Card Industry Qualified Security Assessor (PCI QSA) certified Target as being compliant with the Payment Card Industry Data Security Standards (PCI DSS). What about the QSA? No one ever talks about these PCI assessors, Litan pointed out.
She also criticized PCI assessors for having language in their contracts that precludes them from being held liable if a certified business theyve certified as PCI-compliant later suffers a breach. Why should the assessors escape liability? Theyre the third-party experts who are certified to achieve PCI compliance -- the CIO never went through PCI certification, Litan said. Thats why this process is so flawed. Its just stacked against the retailers and stacked for the banks and PCI players. They dont lose anything from these breaches, except for public reputation.
7. Life after Target for Jacob?
With Jacobs tenure as Targets CIO finished, will the retailers data breach ruin her future career prospects? Co3s Julian said that in fact, the opposite will likely be true. Frankly, its been proven that the speakers circuit is a great place -- honestly -- for people to talk about the experience, and lessons learned, and all the rest, he said. On top of that, often these people end up at a different CIO gig, or at some type of a consultancy, so this is not necessarily career-limiting at all.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Target CIOs Resignation: 7 Questions