CIO not the only one to blame for Target breach

Beth Jacob's resignation not surprising, but disappointing analysts say

That someone had to take the fall for the massive breach at Target is neither surprising nor unexpected. The only question is whether more heads will roll in the aftermath of one the biggest data compromises in retail history.

Target on Wednesday announced that Beth Jacob, its CIO of more than five years, had resigned. The move comes less than two months after the retail giant disclosed it had suffered a data breach that exposed sensitive data on more than 40 million credit and debit cards.

Later, the company announced that emails, addresses and other information on another 70 million people might also have been exposed as the result of the intrusion, which occurred over the 2013 Thanksgiving weekend.

In a statement to the Associated Press, Target CEO Gregg Steinhafel said the company is searching for an interim CIO to help it through an information security overhaul that began after the breach.

Target is also elevating the role of the CISO and is looking for a chief compliance officer as part of the transformation effort.

Such moves are not that unusual for organizations that have suffered major breaches. In the past few years several CIOs and technology executives have been held similarly accountable for security lapses.

In 2012, the executive director of Utah's Department of Technology Services was forced to resign over a data breach that exposed the Social Security numbers and other personal data of about 280,000 Medicaid recipients. Utah Gov. Gary Herbert cited a lack of "oversight and leadership" in seeking the resignation.

In 2006, Maureen Govern, AOL's chief technology officer, quit her job in the aftermath of a disclosure that the company had publicly released data on searches done by about 650,000 of its online subscribers. Two employees in the company's research division, which was responsible for the release of the data, were let go.

That same year, Ohio University's CIO William Sams resigned from his job and two top IT managers were sacked following a series of data breaches.

Jacob's fate was even more likely given the scope and the nature of the Target compromise.

The breach, which is still under investigation, is sure to cost Target hundreds of millions of dollars in remediation costs, lawsuits, fines and legal fees.

Even so, the development is unfortunate, said Gartner analyst Avivah Litan.

"You almost have to be a superhuman with 25 hours a day to spend on security issues to be an effective large retailer CIO these days. And that simply doesn't exist," Litan said.

It is also surprising that the company that assessed Target's compliance with the Payment Card Industry Data Security Standard is not taking some responsibility, she said. Target suffered the breach despite being certified as being PCI compliant.

"I don't understand why the qualified PCI security assessor is totally off the hook in this case," Litan noted. "CIOs rightfully rely on [qualified security assessors] to certify PCI compliance," Litan said. "Sure the standard response is 'well things change between annual assessments'," she said. "Yes they do, but that's a big copout on the QSA's part if you ask me."

Jim Huguelet, an independent retail security consultant, expressed surprise at Jacob's timing. "She did not tender her resignation in the days or weeks immediately following the disclosure when the pressure was most acute," he noted. Jacob also didn't wait longer to put some distance between the event and her departure, he said.

"She does not appear to have a professional background in information technology, so perhaps she felt it was appropriate to allow someone with a deeper technical background to lead their IT organization through the coming months and years of the work ahead of them," Huguelet said.

The Target incident underscores the need for technology executives to keep CEOs and the entire board abreast of cybersecurity developments at all times, said Chris Pierson, chief security officer at Viewpost.

"We as an industry need to improve how we communicate that breaches are not 100% preventable and need the people, tech and processes to handle these sophisticated threats," he said. "This is a cyber, law, privacy, and risk issue that touches everyone and must be addressed holistically."

This article, CIO not the only one to blame for Target breach, was originally published at Computerworld.com.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

Read more about data security in Computerworld's Data Security Topic Center.

This story, "CIO not the only one to blame for Target breach" was originally published by Computerworld.

Insider Shootout: Best security tools for small business
Join the discussion
Be the first to comment on this article. Our Commenting Policies