Strategic CIO // Executive Insights & Innovation
Commentary
4/30/2014
02:00 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
100%
0%

5-Step Plan For New Target CIO

Target's new CIO, Bob DeRodes, faces tough challenges as he upgrades information security processes. Here's my armchair quarterback advice.

It's armchair quarterback time. Target has hired a new CIO to replace Beth Jacob, who resigned in March following a massive security breach at the big-box retailer. Since everyone was second guessing Jacob during her final days, it's fitting that the mob has its say now.

But let me be blunt and serious: I found the whole vilification of Jacob to be the worst kind of techno-blamestorming -- by business and technology leaders, journalists, and other pundits. There's a big difference between mistakes and negligence. Though Jacob and her team clearly made missteps, enterprise infosec is an excruciatingly difficult game to play. I know; I've been there.

Infosec is a team sport that requires everyone, not just the IT organization, to participate. Businesses demand agility/flexibility and complain about too many false positives. Employees dismiss infosec as "an IT thing" and proceed to type their passwords into every one out of 100 simple phishing attacks that make it past email security, even though the security training they ignored while playing Bejeweled Blitz on their smartphones clearly spelled out what to do in these types of situations.

Even key players in finance and in risk management aren't always on board, chastising IT and infosec leaders for their paranoia or for playing "gotcha games" via their legitimate drills. Anybody who hasn't been in the CIO's worry seat can't possibly imagine how much of a no-win scenario this can be. As Craig Carpenter, AccessData's chief cyber-security strategist, put it, the bad guys need to be right only once, but the good guys have to be right all the time. Yes, the scope of the Target breach was staggering, resulting in the theft of 40 million credit and debit card numbers. But as an incumbent CIO who understands that not all the details of internal stories make it to the light of day, I'm wondering how much of that breach can be traced back to a lack of infosec buy-in and support from Jacob's peers and Target's employees.

That's why Target has made a great choice in picking a retired CIO to reboot its IT. Bob DeRodes, the former CIO of Home Depot, has stared down the retail infosec demon before. My bet is that this is a temp job for him -- he'll do what's necessary without worrying about hurting anyone's feelings, and then he'll move on. For that reason, Target made the right move. It needs someone who can focus on the post-breach IT cleanup, someone without career or money worries. (DeRodes earned a total compensation package of almost $5 million for his final year at Home Depot).

So here's my armchair quarterback five-step plan for DeRodes. In this case, I'll skip the usual Step 6, which would have been "Prepare Your Parachute." Most new CIOs must prepare for the possibility of discovering that executive management says it has learned its lessons about resourcing and prioritizing security but still isn't prepared to follow through.

Step 1: Get clear on what the CEO wants.
Gregg Steinhafel, Target's chairman and CEO, has publicly declared what he wants from DeRodes: "Establishing a clear path forward for Target following the data breach has been my top priority... Bob's history of leading transformational change positions him well to lead our continued breach responses and guide our long-term digital strategy." Translation: Change our IT so that an embarrassing security breach doesn't happen again, while creating technology excellence throughout Target. As always, the "how" is the hard part.

My prediction is that DeRodes, very early on -- he probably started while negotiating for the job -- will be having deep conversations with Steinhafel to establish what the CEO wants and to set realistic expectations about what can be accomplished in 30 days, 90 days, and the coming year. This is also the opportunity for DeRodes to sniff out how much Steinhafel buys into the notion of creating a culture of information security and IT excellence, and how much he's willing to pay for it.

Step 2: Visibly deliver on what the CEO and shareholders want.
Target already has ambitious plans for shoring up security, including a very public-facing deployment of chip-and-PIN security payment terminals in all its stores by September. Job No. 1: Don't screw that up. And when you make progress, tell everyone about it.

When Target appointed DeRodes, it also outlined other security measures being implemented, including enhancements to monitoring and logging, new "whitelist" firewall rules, enhanced network segmentation, a firewall governance process, reviews and limitations on vendor access, a decommissioning of FTP and telnet, a coordinated reset of 445,000 Target employee and contractor passwords, and a broadening of two-factor authentication. Whew. Some of those things should have been done already, of course. Telnet and FTP? Really? But some of it, notably network segmentation, isn't yet widely implemented across industries. Most IT organizations still believe in perimeter security. That's really been dead for some time, but that's another story.

Next Page

Jonathan Feldman is Chief Information Officer for the City of Asheville, North Carolina, where his business background and work as an InformationWeek columnist have helped him to innovate in government through better practices in business technology, process, and human ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
shakeeb
50%
50%
shakeeb,
User Rank: Black Belt
4/30/2014 | 9:19:24 PM
Re: Advice from the Front Lines
The most important factor that took my attention was "Assess and address staffing". Retaining the good talents has become a challenge age for the CIO, hence he has to focus on it very much.
shakeeb
50%
50%
shakeeb,
User Rank: Black Belt
4/30/2014 | 9:16:04 PM
Re: Advice from the Front Lines
I agree with you. It is always important to listen since it gives more space for good decision making.
Craig Carpenter, AccessData
100%
0%
Craig Carpenter, AccessData,
User Rank: Apprentice
4/30/2014 | 6:15:30 PM
Advice from the Front Lines
Excellent story Jonathan, the front lines are always the best place from which advice should come.  If I were Bob De Rodes, I would be listening!
ChrisMurphy
50%
50%
ChrisMurphy,
User Rank: Author
4/30/2014 | 5:58:14 PM
Re: Blow Your Own Horn
The big chip-and-pin payment terminal plan illustrates the opportunity -- now is the time to go big on initiatives that wouldn't have been possible before the breach. Think anyone ever thought about those kind of payment terminals before? Such security steps face the "do we have to?" and "why now?" questions. Now security will take center stage -- for a bit.
RobPreston
50%
50%
RobPreston,
User Rank: Author
4/30/2014 | 3:09:29 PM
Blow Your Own Horn
I like Jonathan's emphasis on "visibly" delivering on what the Target CEO and shareholders want. CIOs in all industries need to blow their organizations' horns more -- get better at communications and PR. Critical in this day and age.

 
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Author
4/30/2014 | 2:43:04 PM
Expensive, Massive, Doomed
Security as practicied by large companies today looks way too much like a massively multilevel game of whack-a-mole. So many regs, so many segments, so many stupid end users er, inside threats. There's no way around it, but how sustainable is it? The costs have to be passed along to consumers. At what point do we just surrender and all just get credit cards that expire every month?
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.