Target's new CIO, Bob DeRodes, faces tough challenges as he upgrades information security processes. Here's my armchair quarterback advice.
It's armchair quarterback time. Target has hired a new CIO to replace Beth Jacob, who resigned in March following a massive security breach at the big-box retailer. Since everyone was second guessing Jacob during her final days, it's fitting that the mob has its say now.
But let me be blunt and serious: I found the whole vilification of Jacob to be the worst kind of techno-blamestorming -- by business and technology leaders, journalists, and other pundits. There's a big difference between mistakes and negligence. Though Jacob and her team clearly made missteps, enterprise infosec is an excruciatingly difficult game to play. I know; I've been there.
Infosec is a team sport that requires everyone, not just the IT organization, to participate. Businesses demand agility/flexibility and complain about too many false positives. Employees dismiss infosec as "an IT thing" and proceed to type their passwords into every one out of 100 simple phishing attacks that make it past email security, even though the security training they ignored while playing Bejeweled Blitz on their smartphones clearly spelled out what to do in these types of situations.
Even key players in finance and in risk management aren't always on board, chastising IT and infosec leaders for their paranoia or for playing "gotcha games" via their legitimate drills. Anybody who hasn't been in the CIO's worry seat can't possibly imagine how much of a no-win scenario this can be. As Craig Carpenter, AccessData's chief cyber-security strategist, put it, the bad guys need to be right only once, but the good guys have to be right all the time. Yes, the scope of the Target breach was staggering, resulting in the theft of 40 million credit and debit card numbers. But as an incumbent CIO who understands that not all the details of internal stories make it to the light of day, I'm wondering how much of that breach can be traced back to a lack of infosec buy-in and support from Jacob's peers and Target's employees.
That's why Target has made a great choice in picking a retired CIO to reboot its IT. Bob DeRodes, the former CIO of Home Depot, has stared down the retail infosec demon before. My bet is that this is a temp job for him -- he'll do what's necessary without worrying about hurting anyone's feelings, and then he'll move on. For that reason, Target made the right move. It needs someone who can focus on the post-breach IT cleanup, someone without career or money worries. (DeRodes earned a total compensation package of almost $5 million for his final year at Home Depot).
So here's my armchair quarterback five-step plan for DeRodes. In this case, I'll skip the usual Step 6, which would have been "Prepare Your Parachute." Most new CIOs must prepare for the possibility of discovering that executive management says it has learned its lessons about resourcing and prioritizing security but still isn't prepared to follow through.
Step 1: Get clear on what the CEO wants. Gregg Steinhafel, Target's chairman and CEO, has publicly declared what he wants from DeRodes: "Establishing a clear path forward for Target following the data breach has been my top priority... Bob's history of leading transformational change positions him well to lead our continued breach responses and guide our long-term digital strategy." Translation: Change our IT so that an embarrassing security breach doesn't happen again, while creating technology excellence throughout Target. As always, the "how" is the hard part.
My prediction is that DeRodes, very early on -- he probably started while negotiating for the job -- will be having deep conversations with Steinhafel to establish what the CEO wants and to set realistic expectations about what can be accomplished in 30 days, 90 days, and the coming year. This is also the opportunity for DeRodes to sniff out how much Steinhafel buys into the notion of creating a culture of information security and IT excellence, and how much he's willing to pay for it.
Step 2: Visibly deliver on what the CEO and shareholders want. Target already has ambitious plans for shoring up security, including a very public-facing deployment of chip-and-PIN security payment terminals in all its stores by September. Job No. 1: Don't screw that up. And when you make progress, tell everyone about it.
When Target appointed DeRodes, it also outlined other security measures being implemented, including enhancements to monitoring and logging, new "whitelist" firewall rules, enhanced network segmentation, a firewall governance process, reviews and limitations on vendor access, a decommissioning of FTP and telnet, a coordinated reset of 445,000 Target employee and contractor passwords, and a broadening of two-factor authentication. Whew. Some of those things should have been done already, of course. Telnet and FTP? Really? But some of it, notably network segmentation, isn't yet widely implemented across industries. Most IT organizations still believe in perimeter security. That's really been dead for some time, but that's another story.
Jonathan Feldman is Chief Information Officer for the City of Asheville, North Carolina, where his business background and work as an InformationWeek columnist have helped him to innovate in government through better practices in business technology, process, and human ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.