5-Step Plan For New Target CIO - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IT Leadership // CIO Insights & Innovation
02:00 PM
Connect Directly

5-Step Plan For New Target CIO

Target's new CIO, Bob DeRodes, faces tough challenges as he upgrades information security processes. Here's my armchair quarterback advice.

It's armchair quarterback time. Target has hired a new CIO to replace Beth Jacob, who resigned in March following a massive security breach at the big-box retailer. Since everyone was second guessing Jacob during her final days, it's fitting that the mob has its say now.

But let me be blunt and serious: I found the whole vilification of Jacob to be the worst kind of techno-blamestorming -- by business and technology leaders, journalists, and other pundits. There's a big difference between mistakes and negligence. Though Jacob and her team clearly made missteps, enterprise infosec is an excruciatingly difficult game to play. I know; I've been there.

Infosec is a team sport that requires everyone, not just the IT organization, to participate. Businesses demand agility/flexibility and complain about too many false positives. Employees dismiss infosec as "an IT thing" and proceed to type their passwords into every one out of 100 simple phishing attacks that make it past email security, even though the security training they ignored while playing Bejeweled Blitz on their smartphones clearly spelled out what to do in these types of situations.

Even key players in finance and in risk management aren't always on board, chastising IT and infosec leaders for their paranoia or for playing "gotcha games" via their legitimate drills. Anybody who hasn't been in the CIO's worry seat can't possibly imagine how much of a no-win scenario this can be. As Craig Carpenter, AccessData's chief cyber-security strategist, put it, the bad guys need to be right only once, but the good guys have to be right all the time. Yes, the scope of the Target breach was staggering, resulting in the theft of 40 million credit and debit card numbers. But as an incumbent CIO who understands that not all the details of internal stories make it to the light of day, I'm wondering how much of that breach can be traced back to a lack of infosec buy-in and support from Jacob's peers and Target's employees.

That's why Target has made a great choice in picking a retired CIO to reboot its IT. Bob DeRodes, the former CIO of Home Depot, has stared down the retail infosec demon before. My bet is that this is a temp job for him -- he'll do what's necessary without worrying about hurting anyone's feelings, and then he'll move on. For that reason, Target made the right move. It needs someone who can focus on the post-breach IT cleanup, someone without career or money worries. (DeRodes earned a total compensation package of almost $5 million for his final year at Home Depot).

So here's my armchair quarterback five-step plan for DeRodes. In this case, I'll skip the usual Step 6, which would have been "Prepare Your Parachute." Most new CIOs must prepare for the possibility of discovering that executive management says it has learned its lessons about resourcing and prioritizing security but still isn't prepared to follow through.

Step 1: Get clear on what the CEO wants.
Gregg Steinhafel, Target's chairman and CEO, has publicly declared what he wants from DeRodes: "Establishing a clear path forward for Target following the data breach has been my top priority... Bob's history of leading transformational change positions him well to lead our continued breach responses and guide our long-term digital strategy." Translation: Change our IT so that an embarrassing security breach doesn't happen again, while creating technology excellence throughout Target. As always, the "how" is the hard part.

My prediction is that DeRodes, very early on -- he probably started while negotiating for the job -- will be having deep conversations with Steinhafel to establish what the CEO wants and to set realistic expectations about what can be accomplished in 30 days, 90 days, and the coming year. This is also the opportunity for DeRodes to sniff out how much Steinhafel buys into the notion of creating a culture of information security and IT excellence, and how much he's willing to pay for it.

Step 2: Visibly deliver on what the CEO and shareholders want.
Target already has ambitious plans for shoring up security, including a very public-facing deployment of chip-and-PIN security payment terminals in all its stores by September. Job No. 1: Don't screw that up. And when you make progress, tell everyone about it.

When Target appointed DeRodes, it also outlined other security measures being implemented, including enhancements to monitoring and logging, new "whitelist" firewall rules, enhanced network segmentation, a firewall governance process, reviews and limitations on vendor access, a decommissioning of FTP and telnet, a coordinated reset of 445,000 Target employee and contractor passwords, and a broadening of two-factor authentication. Whew. Some of those things should have been done already, of course. Telnet and FTP? Really? But some of it, notably network segmentation, isn't yet widely implemented across industries. Most IT organizations still believe in perimeter security. That's really been dead for some time, but that's another story.

Next Page

Jonathan Feldman is Chief Information Officer for the City of Asheville, North Carolina, where his business background and work as an InformationWeek columnist have helped him to innovate in government through better practices in business technology, process, and human ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/30/2014 | 9:19:24 PM
Re: Advice from the Front Lines
The most important factor that took my attention was "Assess and address staffing". Retaining the good talents has become a challenge age for the CIO, hence he has to focus on it very much.
User Rank: Ninja
4/30/2014 | 9:16:04 PM
Re: Advice from the Front Lines
I agree with you. It is always important to listen since it gives more space for good decision making.
Craig Carpenter, AccessData
Craig Carpenter, AccessData,
User Rank: Apprentice
4/30/2014 | 6:15:30 PM
Advice from the Front Lines
Excellent story Jonathan, the front lines are always the best place from which advice should come.  If I were Bob De Rodes, I would be listening!
User Rank: Author
4/30/2014 | 5:58:14 PM
Re: Blow Your Own Horn
The big chip-and-pin payment terminal plan illustrates the opportunity -- now is the time to go big on initiatives that wouldn't have been possible before the breach. Think anyone ever thought about those kind of payment terminals before? Such security steps face the "do we have to?" and "why now?" questions. Now security will take center stage -- for a bit.
User Rank: Author
4/30/2014 | 3:09:29 PM
Blow Your Own Horn
I like Jonathan's emphasis on "visibly" delivering on what the Target CEO and shareholders want. CIOs in all industries need to blow their organizations' horns more -- get better at communications and PR. Critical in this day and age.

Lorna Garey
Lorna Garey,
User Rank: Author
4/30/2014 | 2:43:04 PM
Expensive, Massive, Doomed
Security as practicied by large companies today looks way too much like a massively multilevel game of whack-a-mole. So many regs, so many segments, so many stupid end users er, inside threats. There's no way around it, but how sustainable is it? The costs have to be passed along to consumers. At what point do we just surrender and all just get credit cards that expire every month?
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll