So the latest news this week is that the Target CIO Beth Jacob has resigned, it seems to be somewhat linked to the massive heist of credit card details from Target that took place in December last year.
To be fair it was a fairly complex, high-level attack and I’m pretty sure most companies would have been infiltrated with a similarly pervasive attack vector.
Target CIO Beth Jacob has apparently fallen on her sword in the wake of the massive security breach in mid-December that compromised 40 million debit and credit cards and swept national headlines. Her resignation was rendered this week effective immediately.
“If you look at the history of other large data breaches, turnover at the top of the IT shop is not unusual,” says retail IT consultant Cathy Hotka.
Target CEO Gregg Steinhafel says the retailer is now looking outside the company for a CIO to succeed Jacob and help overhaul its network security, according to the Wall Street Journal.
Ironically, Jacob, who has a sterling reputation among retail CIOs, was thought of as a great hire by Target in 2008, Hotka says.
Target’s security incident — from the sophisticated breach to Steinhafel penning a mea culpa open letter to Target customers to running apologetic ads in the Wall Street Journal and other major publications to Jacob’s resignation — is a watershed moment for retail CIOs. They are now faced with rethinking their data security strategy.
The kind of breach that occurred at Target was highly sophisticated. Hackers slipped their software into Target’s computer systems via credentials stolen from one of Target’s vendors, reported the Wall Street Journal. The software eventually made its way to checkout stations and began amassing credit card data.
Having worked in this industry for many years, it really comes as no surprise how lackadaisical corporate information security can be at times.
And this was a pretty slick multi-level attack coming in at first through a vendor’s access, and eventually landing on the POS terminals – as was the plan from the beginning I would imagine.
“The people who are responsible for these kinds of breaches are well-organized, criminal enterprises,” Hotka says. “If you went to go up to a bunch of retail CIOs and asked them, ‘Could this have happened to you?’ the answer would be, yes.”
CIOs are put in a tough position because they’re not given adequate security funding, Hotka says. She recalls five years ago when the CIO of apparel and home fashions retailer TJX Companies had asked for additional data security resources and didn’t get them. A massive security breach followed, compromising millions of credit card numbers. TJX Companies agreed to pay $40.9 million to resolve potential claims by banks.
Given the growing sophistication of attacks, retail CIOs must now reconsider whether or not managing the risk in-house is wise. As Jacob’s resignation shows, a retail CIO is culpable yet might not have the know-how or resources to protect the company.
So should retail CIOs outsource data security to the experts?
“I think at this stage it’s not unreasonable,” Hotka says.
There’s a LOT of articles going around about this at the moment, many concerning who’s to blame, was it the CIO? who’s fault is it that engineers brought up that they felt there’s a problem? and so on.
Could the CIO have prevented this? Perhaps if she was very technical and on the ground concerning security practice, but honestly there should be a CSO for that and it falls more under the remit of the CTO than the CIO in my eyes.
Source: Network World