Did Target's CEO Need to Go?
Resignation a Sign of Change in Cybersecurity PerspectivesGregg Steinhafel's resignation as chairman, president and CEO at Target Corp. in the wake of a massive data breach reflects a shift in corporate thinking about cybersecurity and financial fraud, security experts say (see Breach Aftermath: Target CEO Steps Down).
See Also: Webinar | Identity Crisis: How to Combat Session Hijacking and Credential Theft with MDR
"It's a signal to industry that the market expects chief executives to be on top of reputation and trust management, which, in turn, means being on top of security," says Tom Wills, director of Ontrack Advisory, a consulting firm focused on payments innovation.
"Trust and security have traditionally been seen as an integral part of a bank's brand," he says. "In the retail space, this is a relatively new value, and an overdue one. As is so often the case, it takes a major incident, with material financial and reputational consequences, for security to move up to the top of a given industry's priority list."
But holding retail executives responsible for cybersecurity could have devastating effects, argues financial fraud expert Al Pascaul, an analyst for the consultancy Javelin Strategy & Research.
"Has the precedent been set where heads will roll in the C-suite whenever a major breach occurs?" he asks. "I'd argue that this is going to become a shareholder expectation, and that is bad news for retailers, as they are nowhere near ready, as an industry, to repel the breach attempts that are certain to continue."
Shirley Inscoe, a financial fraud analyst for consultancy Aite, says calling for the resignation of a CEO such as Steinhafel in the wake of a massive payments breach is not good business.
"Unless there is evidence the CEO had knowledge and failed to act to address security, this seems like poor timing to replace him," she says. "The company has been reeling, and introducing more confusion could cost them some young, rising stars."
But more CEOs can expect similar fates if their companies experience major breaches, Inscoe says.
"The board probably felt if they replaced the CEO, perhaps they could begin to put the issue behind them," she explains. "At a minimum, they are demonstrating how seriously they are taking the problems."
Shifting Opinions of Target
Target, which was lauded early on by some for its CEO's communication after the point-of-sale breach that compromised 40 million debit and credit cards, has watched its stock price steadily decline - a byproduct of waning consumer confidence in the retailer's security, Wills says.
"I'm sure the breach had a lot to do with it," he says. "Target's share prices have been in decline over the past 12 months. That includes a rather large dip from December to mid-February, right after the breach was brought to light."
In its first-quarter earnings statement, released Feb. 26, Target revealed that its profits had been hurt by its 2013 breach.
Target's profit for the first quarter of its fiscal year 2014 dropped 46 percent, compared with the same period a year earlier.
Target's Breach Response
Steinhafel's resignation, which comes on the heels of the March resignation of Beth Jacob, Target's former CIO, reflects a growing trend of higher cybersecurity expectations for executives at the helm, Wills adds.
In response to the breach, Steinhafel, in his resignation letter to the board, notes that the company took immediate action to address its security gaps.
"From the beginning, I have been committed to ensuring Target emerges from the data breach a better company, more focused than ever on delivering for our guests," he writes. "We have already begun taking a number of steps to further enhance data security, putting the right people, processes and systems in place. With several key milestones behind us, now is the right time for new leadership at Target."
Those key steps have included:
- Enhanced monitoring and logging, including the implementation of additional rules, alerts, centralizing log feeds and enabling additional logging capabilities;
- Application whitelisting for point-of-sale systems;
- Enhanced network segmentation;
- Limited vendor access to servers and systems; and
- Enhanced security of accounts.
Target also has committed to migrating its entire REDcard portfolio from magnetic-strip technology to chip and PIN by early 2015 - a move that has been praised by retail groups. such as the Retail Industry Leaders Association.
"We applaud Target and its partner MasterCard for their leadership and commitment to providing customers with the strongest protections available today," said Sandy Kennedy, president of RILA, in an April 30 statement. "Migrating to chip and PIN technology is a major component of RILA's Cybersecurity and Data Privacy Initiative. The security features associated with chip and PIN technology will reduce the risk of fraud in the United States as they have done around the world, where this enhanced fraud prevention technology has been in place for years."
Chip-and-PIN payment terminals will be installed at all 1,797 of Target's U.S. stores by September 2014, the company says.
Inscoe contends, however, that Target's move to implement chip-and-PIN technology that conforms to the Europay, MasterCard, Visa standard was more about image than security.
"While they tried to deflect their lack of security with the EMV issue, everyone knows EMV would not have prevented Target's breach if it had been in effect in the U.S.," she says.
Time for Change
Target needs to look for a new CEO who can rebuild the public's trust, Wills says.
"A keen awareness of the need to rebuild and maintain Target's position as a trusted consumer brand, and of strategies for doing that, will be a must," he says.
Fraud expert Avivah Litan, an analyst at the consultancy Gartner, says shoppers don't care who heads Target; but when breaches occur, someone at the top has to be accountable.
"Cybersecurity is a top C-level issue and priority now," Litan says. "CEOs will have to get up to speed, whether or not they are interested in it."
Inscoe says Target certainly cannot afford another breach incident. "While I seriously doubt anyone expects the CEO of a major corporation to fully understand cybersecurity, ensuring the company is adequately protected against attacks is a reasonable expectation, both of the board and the shopping public," she says.