Bad Guys Score Bull's-Eye on Target CEO

By Peter Bernstein May 06, 2014

In case like Rip Van Winkle you have been asleep for a while, this may be news. However, if you have been awake from any time around Thanksgiving of last year until now, you are aware that the third largest retailer, Target, was under attack first by cyber terrorists and then in no particular or weight of intensity or other metric, by the press, customers and investors.

Back on December 19 of last year, the company revealed that between Nov. 27 and Dec. 15, 2013, it had suffered a data breach which compromised 40 million credit and debit card accounts. And, if that were not enough, on Jan 10 of this year, the company said hackers also stole personal information from as many as 70 million customers which included things like names, addresses, email addresses and telephone numbers. 

There was a lot of hand-wringing and apologies from Target. There was curbside industry analysis from “subject matter experts” much of which turned out to be inaccurate, although details of precisely what happened remain under a cone of silence. Plus, there was more than plenty of security industry advice on ways to prevent this going forward, including adopting the much more secure chip-and-PIN technology used widely in Europe and which Target itself will now use next year thanks to an extreme security makeover. And, of course, there was the predictable political grandstanding about the need for tougher laws on security regulations.

The revelations also opened up serious discussions about the how vulnerable the merchants we deal with (and we all) are to having our personal data compromised and our identities stolen and used for illicit purposes. It was, in short, and pun intended, an arrow straight to the heart of the trustworthiness of modern technology, starting with the security of the point of sale (POS) terminals and touching everything else involving access to, and storage and transport of, our personal info. 

Well, today marks a milestone in this continuing saga for Target and the business world in general.  Target has announced that Chairman, President and CEO Greg Steinhafel, has resigned, effective immediately. 

I will not go into the details which can be read multiple times on the most of the 5,110 results (including almost 450 in-depth stories) on Google under “Gregg Steinhafel Steps Down.” Some have noted that Target during the Steinhafel leadership regime, which started in 2008 (he is actually a 35-year long Target employee), has been problematic. After all, he had to weather the recession, charges that his discounts were not as good as his competitors, an unsuccessful proxy fight to replace the board and what is being called the failure to launch in Canada. However, five months after the fist disclosure the bulk of the blame for his departure is his being in charge and then mishandling the data breach.  

As a statement from the Target board said, “He held himself personally accountable and pledged that Target would emerge a better company,” said the statement. “We are grateful to him for his tireless leadership and will always consider him a member of the Target family.” Steinhafel is remaining on as an advisor to the board, but his tenure as leader is over and prestigious executive search firm Korn Ferry has been hired to find a replacement.

What makes this a milestone -- along with obviously being big news if it were nothing more than the impact of the leader of Target stepping down -- is that this will be looked back upon as the first major CEO upon whom the cyber bad guys scored a bull’s-eye.

Image courtesy Shutterstock

He will not be the last. In fact, his departure should be a big-time warning to C-levels around the world that “it can happen to you.”  In fact, as those who read my following of the various reports from the security industry know, the likelihood of a data breach or other type of successful cyber attack may vary a little based on how inviting what your organization does is to those with malicious intent, but there is a strong probability you will be hit and hit hard in the next 12 months. This means not only is your CIO’s job at risk (as it was at Target, whose CIO departed several months ago), but depending on severity and actions taken so is the job of the big boss.

Needless to say, since the breach was first revealed, my inbox has been flooded with emails that start with, “In case you are writing an article about the Target data breach…”  And, putting aside the ones that were pure marketing ploys to promote vendor XYZ’s solution so that there will be no “next time,” I did get several that were food for thought. In fact, one in particular that comes from Craig Carpenter, Chief Cybersecurity Strategist at incident response & security firm, AccessData, whose thoughts are worth sharing.

After saying that it might even be a bit unfair to excoriate Mr. Steinhafel because like his CEO peers around the world he was not deeply familiar with Target’s security operations he explains, “...but that is exactly the point. Cybersecurity is so important that it needs to and will become a C- and Board-level matter … Cyberthreats are so pervasive and so potentially damaging to any corporate brand that the C-level and Board members cannot afford to not know what’s going on…Treat incident response as a one-off process, and your job may very well also be at risk.”

The above may seem obvious. There are consequences when things go wrong on your watch. It was what Carpenter had to say next that is the reason his thoughts need to be shared:

“Where Target fell down and where all of their peers should be very concerned was not with their defensive measures (which were well-funded and thought to have been generally good), which actually detected the breach within a day of first compromise. This story is entirely about Target's inability to 1) separate the real alarms from the noise, and 2) respond quickly, comprehensively and effectively to true cyber-threats. The vast majority of global businesses are in exactly the same position Target was (or even worse position), i.e., unable to manage incident response (IR) as a business process. Cyber-security vendors share more than a little of the blame, as many tout their wares as the cure to nasty things like the APT (Advanced Persistent Threat). But what good is technology if it neither tells users what alerts really matter, nor does anything to actually resolve them effectively?

The Target example will push global corporations and government entities to mature their IR posture. Incident response, which failed at Target, will become a key business process just like so many other operational processes, eventually being highly predictable, measurable and able to be relied upon every day. Incidentally, there is also a major push underway globally – the EU is already well ahead of the U.S. here – to codify breach notification, which will provide a legal IR requirement that does not exist today. That will expedite the maturing of IR processes even more.”

The facts are that many of today’s most vicious cyber attacks go undetected for, in many cases, weeks. In addition, as Carpenter points out, the lack of what would seem like a basic -- having an adequate incident response capability -- is appalling. Indeed, it could be argued by disgruntled shareholders and others footing the bills for remediation—which in the case of Target is an estimate $61 million and counting, and does not include the damage to the brand which has been reflected in plunging sales and a plunging stock price—that not following best practices in terms of prevention and remediation should be grounds for firing. And, at this point that would include the CEO; and the leash should not be very long in terms of time frames. 

Target has a very familiar mascot whose name used to be “Spot”, and is now “Target Dog” aka “Bull’s-eye.”

Image courtesy Target

It might be time to rethink the use of their mascot Bull’s-eye. He is a Bull Terrier. The breed is known for their determination, especially when it comes to how protective of their turf and owners they are. From a brand stewardship perspective, having Bull’s-eye go on a national tour promoting personal information best practices might not be a bad way for Target to regain customer trust and get the target off their back. 

Edited by Rory J. Thompson
Related Articles

6 Challenges of 5G, and the 9 Pillars of Assurance Strategy

By: Special Guest    9/17/2018

To make 5G possible, everything will change. The 5G network will involve new antennas and chipsets, new architectures, new KPIs, new vendors, cloud di…

Read More

Putting the Flow into Workflow, Paessler and Briefery Help Businesses Operate Better

By: Cynthia S. Artin    9/14/2018

The digital transformation of business is generating a lot of value, through more automation, more intelligence, and ultimately more efficiency.

Read More

From Mainframe to Open Frameworks, Linux Foundation Fuels Up with Rocket Software

By: Special Guest    9/6/2018

Last week, at the Open Source Summit, hosted by The Linux Foundation, the Open Mainframe Project gave birth to Zowe, introduced a new open source soft…

Read More

Unified Office Takes a Trip to the Dentist Office

By: Cynthia S. Artin    9/6/2018

Not many of us love going to see the dentist, and one company working across unified voice, productivity and even IoT systems is out to make the exper…

Read More

AIOps Outfit Moogsoft Launches Observe

By: Paula Bernier    8/30/2018

Moogsoft Observe advances the capabilities of AIOps to help IT teams better manage their services and applications in the face of a massive proliferat…

Read More