Bad Guys Score Bull's-Eye on Target CEO

By Peter Bernstein May 06, 2014

In case like Rip Van Winkle you have been asleep for a while, this may be news. However, if you have been awake from any time around Thanksgiving of last year until now, you are aware that the third largest retailer, Target, was under attack first by cyber terrorists and then in no particular or weight of intensity or other metric, by the press, customers and investors.

Back on December 19 of last year, the company revealed that between Nov. 27 and Dec. 15, 2013, it had suffered a data breach which compromised 40 million credit and debit card accounts. And, if that were not enough, on Jan 10 of this year, the company said hackers also stole personal information from as many as 70 million customers which included things like names, addresses, email addresses and telephone numbers. 

There was a lot of hand-wringing and apologies from Target. There was curbside industry analysis from “subject matter experts” much of which turned out to be inaccurate, although details of precisely what happened remain under a cone of silence. Plus, there was more than plenty of security industry advice on ways to prevent this going forward, including adopting the much more secure chip-and-PIN technology used widely in Europe and which Target itself will now use next year thanks to an extreme security makeover. And, of course, there was the predictable political grandstanding about the need for tougher laws on security regulations.

The revelations also opened up serious discussions about the how vulnerable the merchants we deal with (and we all) are to having our personal data compromised and our identities stolen and used for illicit purposes. It was, in short, and pun intended, an arrow straight to the heart of the trustworthiness of modern technology, starting with the security of the point of sale (POS) terminals and touching everything else involving access to, and storage and transport of, our personal info. 

Well, today marks a milestone in this continuing saga for Target and the business world in general.  Target has announced that Chairman, President and CEO Greg Steinhafel, has resigned, effective immediately. 

I will not go into the details which can be read multiple times on the most of the 5,110 results (including almost 450 in-depth stories) on Google under “Gregg Steinhafel Steps Down.” Some have noted that Target during the Steinhafel leadership regime, which started in 2008 (he is actually a 35-year long Target employee), has been problematic. After all, he had to weather the recession, charges that his discounts were not as good as his competitors, an unsuccessful proxy fight to replace the board and what is being called the failure to launch in Canada. However, five months after the fist disclosure the bulk of the blame for his departure is his being in charge and then mishandling the data breach.  

As a statement from the Target board said, “He held himself personally accountable and pledged that Target would emerge a better company,” said the statement. “We are grateful to him for his tireless leadership and will always consider him a member of the Target family.” Steinhafel is remaining on as an advisor to the board, but his tenure as leader is over and prestigious executive search firm Korn Ferry has been hired to find a replacement.

What makes this a milestone -- along with obviously being big news if it were nothing more than the impact of the leader of Target stepping down -- is that this will be looked back upon as the first major CEO upon whom the cyber bad guys scored a bull’s-eye.

Image courtesy Shutterstock

He will not be the last. In fact, his departure should be a big-time warning to C-levels around the world that “it can happen to you.”  In fact, as those who read my following of the various reports from the security industry know, the likelihood of a data breach or other type of successful cyber attack may vary a little based on how inviting what your organization does is to those with malicious intent, but there is a strong probability you will be hit and hit hard in the next 12 months. This means not only is your CIO’s job at risk (as it was at Target, whose CIO departed several months ago), but depending on severity and actions taken so is the job of the big boss.

Needless to say, since the breach was first revealed, my inbox has been flooded with emails that start with, “In case you are writing an article about the Target data breach…”  And, putting aside the ones that were pure marketing ploys to promote vendor XYZ’s solution so that there will be no “next time,” I did get several that were food for thought. In fact, one in particular that comes from Craig Carpenter, Chief Cybersecurity Strategist at incident response & security firm, AccessData, whose thoughts are worth sharing.

After saying that it might even be a bit unfair to excoriate Mr. Steinhafel because like his CEO peers around the world he was not deeply familiar with Target’s security operations he explains, “...but that is exactly the point. Cybersecurity is so important that it needs to and will become a C- and Board-level matter … Cyberthreats are so pervasive and so potentially damaging to any corporate brand that the C-level and Board members cannot afford to not know what’s going on…Treat incident response as a one-off process, and your job may very well also be at risk.”

The above may seem obvious. There are consequences when things go wrong on your watch. It was what Carpenter had to say next that is the reason his thoughts need to be shared:

“Where Target fell down and where all of their peers should be very concerned was not with their defensive measures (which were well-funded and thought to have been generally good), which actually detected the breach within a day of first compromise. This story is entirely about Target's inability to 1) separate the real alarms from the noise, and 2) respond quickly, comprehensively and effectively to true cyber-threats. The vast majority of global businesses are in exactly the same position Target was (or even worse position), i.e., unable to manage incident response (IR) as a business process. Cyber-security vendors share more than a little of the blame, as many tout their wares as the cure to nasty things like the APT (Advanced Persistent Threat). But what good is technology if it neither tells users what alerts really matter, nor does anything to actually resolve them effectively?

The Target example will push global corporations and government entities to mature their IR posture. Incident response, which failed at Target, will become a key business process just like so many other operational processes, eventually being highly predictable, measurable and able to be relied upon every day. Incidentally, there is also a major push underway globally – the EU is already well ahead of the U.S. here – to codify breach notification, which will provide a legal IR requirement that does not exist today. That will expedite the maturing of IR processes even more.”

The facts are that many of today’s most vicious cyber attacks go undetected for, in many cases, weeks. In addition, as Carpenter points out, the lack of what would seem like a basic -- having an adequate incident response capability -- is appalling. Indeed, it could be argued by disgruntled shareholders and others footing the bills for remediation—which in the case of Target is an estimate $61 million and counting, and does not include the damage to the brand which has been reflected in plunging sales and a plunging stock price—that not following best practices in terms of prevention and remediation should be grounds for firing. And, at this point that would include the CEO; and the leash should not be very long in terms of time frames. 

Target has a very familiar mascot whose name used to be “Spot”, and is now “Target Dog” aka “Bull’s-eye.”

Image courtesy Target

It might be time to rethink the use of their mascot Bull’s-eye. He is a Bull Terrier. The breed is known for their determination, especially when it comes to how protective of their turf and owners they are. From a brand stewardship perspective, having Bull’s-eye go on a national tour promoting personal information best practices might not be a bad way for Target to regain customer trust and get the target off their back. 

Edited by Rory J. Thompson
Related Articles

Is 5G a Spectrum-eating Monster that Destroys Competition?

By: Fred Goldstein    6/15/2018

To hear the current FCC talk about it, 5G mobile service is the be-all and end-all of not only mobile communications, but the answer to most of the co…

Read More

FX Group Makes the Red Carpet Shoppable with Blockchain-Based mCart Marketplace-as-a-Service

By: TMCnet News    6/14/2018

mCart by Mavatar announces the launch of the world's first blockchain-based decentralized mCart marketplace by the FX Group.

Read More

Judge Gives AT&T-Time Warner Deal Green Light

By: Paula Bernier    6/12/2018

Federal judge Richard Leon gave the $85 billion deal the green light today - and without any requirements to sell off any parts of the company. He als…

Read More

A New Foundation for Evolving Blockchain As a Fundamental Network Technology

By: Arti Loftus    6/12/2018

There are now thousands of blockchains, and unless you are a cryptophile, you won't recognize most of them.

Read More