Did Target's CEO Need to Go?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/did-targets-ceo-need-to-go-a-6815

Gregg Steinhafel's resignation as chairman, president and CEO at Target
Corp. in the wake of a massive data breach reflects a shift in corporate
thinking about cybersecurity and financial fraud, security experts say (see
Breach Aftermath: Target CEO Steps Down).

"It's a signal to industry that the market expects chief executives to be
on top of reputation and trust management, which, in turn, means being on
top of security," says Tom Wills, director of Ontrack Advisory, a
consulting firm focused on payments innovation.

"Trust and security have traditionally been seen as an integral part of a
bank's brand," he says. "In the retail space, this is a relatively new
value, and an overdue one. As is so often the case, it takes a major
incident, with material financial and reputational consequences, for
security to move up to the top of a given industry's priority list."

But holding retail executives responsible for cybersecurity could have
devastating effects, argues financial fraud expert Al Pascaul, an analyst
for the consultancy Javelin Strategy & Research.

"Has the precedent been set where heads will roll in the C-suite whenever a
major breach occurs?" he asks. "I'd argue that this is going to become a
shareholder expectation, and that is bad news for retailers, as they are
nowhere near ready, as an industry, to repel the breach attempts that are
certain to continue."

Shirley Inscoe, a financial fraud analyst for consultancy Aite, says
calling for the resignation of a CEO such as Steinhafel in the wake of a
massive payments breach is not good business.

"Unless there is evidence the CEO had knowledge and failed to act to
address security, this seems like poor timing to replace him," she says.
"The company has been reeling, and introducing more confusion could cost
them some young, rising stars."

But more CEOs can expect similar fates if their companies experience major
breaches, Inscoe says.

"The board probably felt if they replaced the CEO, perhaps they could begin
to put the issue behind them," she explains. "At a minimum, they are
demonstrating how seriously they are taking the problems."

Shifting Opinions of Target

Target, which was lauded early on by some for its CEO's communication after
the point-of-sale breach that compromised 40 million debit and credit
cards, has watched its stock price steadily decline - a byproduct of waning
consumer confidence in the retailer's security, Wills says.

"I'm sure the breach had a lot to do with it," he says. "Target's share
prices have been in decline over the past 12 months. That includes a rather
large dip from December to mid-February, right after the breach was brought
to light."

In its first-quarter earnings statement, released Feb. 26, Target revealed
that its profits had been hurt by its 2013 breach.

Target's profit for the first quarter of its fiscal year 2014 dropped 46
percent, compared with the same period a year earlier.

Target's Breach Response

Steinhafel's resignation, which comes on the heels of the March resignation
of Beth Jacob, Target's former CIO, reflects a growing trend of higher
cybersecurity expectations for executives at the helm, Wills adds.

In response to the breach, Steinhafel, in his resignation letter to the
board, notes that the company took immediate action to address its security
gaps.

"From the beginning, I have been committed to ensuring Target emerges from
the data breach a better company, more focused than ever on delivering for
our guests," he writes. "We have already begun taking a number of steps to
further enhance data security, putting the right people, processes and
systems in place. With several key milestones behind us, now is the right
time for new leadership at Target."

Those key steps have included:

- Enhanced monitoring and logging, including the implementation of
additional rules, alerts, centralizing log feeds and enabling additional
logging capabilities;
- Application whitelisting for point-of-sale systems;
- Enhanced network segmentation;
- Limited vendor access to servers and systems; and
- Enhanced security of accounts.

Target also has committed to migrating its entire REDcard portfolio from
magnetic-strip technology to chip and PIN by early 2015 - a move that has
been praised by retail groups. such as the Retail Industry Leaders
Association.

"We applaud Target and its partner MasterCard for their leadership and
commitment to providing customers with the strongest protections available
today," said Sandy Kennedy, president of RILA, in an April 30 statement.
"Migrating to chip and PIN technology is a major component of RILA's
Cybersecurity and Data Privacy Initiative. The security features associated
with chip and PIN technology will reduce the risk of fraud in the United
States as they have done around the world, where this enhanced fraud
prevention technology has been in place for years."

Chip-and-PIN payment terminals will be installed at all 1,797 of Target's
U.S. stores by September 2014, the company says.

Inscoe contends, however, that Target's move to implement chip-and-PIN
technology that conforms to the Europay, MasterCard, Visa standard was more
about image than security.

"While they tried to deflect their lack of security with the EMV issue,
everyone knows EMV would not have prevented Target's breach if it had been
in effect in the U.S.," she says.

Time for Change

Target needs to look for a new CEO who can rebuild the public's trust,
Wills says.

"A keen awareness of the need to rebuild and maintain Target's position as
a trusted consumer brand, and of strategies for doing that, will be a
must," he says.

Fraud expert Avivah Litan, an analyst at the consultancy Gartner, says
shoppers don't care who heads Target; but when breaches occur, someone at
the top has to be accountable.

"Cybersecurity is a top C-level issue and priority now," Litan says. "CEOs
will have to get up to speed, whether or not they are interested in it."

Inscoe says Target certainly cannot afford another breach incident. "While
I seriously doubt anyone expects the CEO of a major corporation to fully
understand cybersecurity, ensuring the company is adequately protected
against attacks is a reasonable expectation, both of the board and the
shopping public," she says.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!