DeRodes will do himself and Target a favor if he presents periodic reports on progress; doing so will help to rebuild Target's IT credibility. And these types of reports also help with internal morale, which must be low. More on that in a moment.
Step 3: Don't get in the way.
It's likely that everyone in the Target IT organization has been wearing a scarlet breach "B" on their collective chests, ashamed of the breach and the financial and PR consequences. Those who have stuck around are working their keisters off to make things better.
My guess is that 80% or more of the activities already happening (see point No. 2) are exactly what Target needs. The worst thing DeRodes could do in this situation would be to jump in and further demoralize staffers by throwing out their plans because he wants to put his own stamp on things.
DeRodes won't. He's too experienced to make that mistake. He'll intervene when he sees a clear need to do so. Otherwise, he'll mostly keep out of the way after he assesses and tweaks the plan.
Step 4: Assess and address staffing.
The most important thing a CIO does is attract and retain the right talent -- and encourage the wrong talent to go elsewhere. DeRodes will do one-on-one interviews with a handful of key staffers, and he'll assess the rest of the team by proxy, by reviewing them with his managers. He may also use a sampling strategy, where he compares what one of his managers says about a staffer with what his own interview and assessment tells him. My guess is that he won't sample very much unless he starts worrying about the competence or leadership abilities of his management team.
The worst thing for Target, given how demoralized key staffers are, would be to let experienced, talented IT people walk out the door. Retaining the right people will be hugely important.
DeRodes will also assess whether staffing levels are adequate. Security tasks sometimes don't get done when folks are insanely busy. My guess is that Target will overcompensate for security for the foreseeable future.
Step 5: Build a new IT culture.
When the CEO states publicly that he hired you for your "history of leading transformational change," you'd better get cracking. Significant change always requires a reboot of the organizational culture. DeRodes won't start doing that until the basics are in order: current security plan being followed, chip-and-PIN project on track, staff assessment completed, etc. But it will loom large on his agenda.
Anybody can come in and implement projects. But creating lasting change will require a lot more effort. It's not a cookie-cutter project. DeRodes must take what he learns from Steinhafel, from his staff assessment, and from his peers and put together an almost forensic reconstruction of what went wrong and how a change in basic work values could have made a difference. This assessment is an important step toward creating guiding principles that both jibe with Target's overall values and steer employees to do the right things, even when there's no explicit policy to guide them.
For example, DeRodes will be digging into why Target's security team ignored data breach alarms. Yes, the technical reasons are that Target, not unlike many organizations, chose to take manual, not automated, action, likely because of fear of false positives shutting down important business processes. But was there also a culture of "mother-may-I?" going on? Were individual security analysts empowered to take swift action, or did they have to embark on a chain-of-command journey to do anything? When you have the correct core values in place (as opposed to needing a specific policy for every contingency), employees take action.
This is arguably the hardest but most important part of creating lasting change. DeRodes has his work cut out for him.
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and we offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators. Read our InformationWeek Elite 100 issue today.