CXO

A former CIO's take on Target CIO resigning after massive data breach

Target CIO Beth Jacob has resigned following the retailer's embarrassing data breach. A former CIO weighs in and says Jacob took the high road.

Image: Target

The average tenure of a Chief Information Officer (CIO) is five years, which is on the low end of the C-level executive survival scale. Perhaps somewhat ironically, Target CIO Beth Jacob attained that five-year watermark in 2013, only to tender her resignation on March 5, 2014 as a consequence of the well-publicized Target data breach.

In her resignation letter to Target Chairman, President, and CEO Gregg Steinhafel, Jacob said that resigning was a "difficult decision," but added that "this was a time of significant transformation for the retail industry and for Target."

In a 2012 CIO.com article, commenting on why CIOs don't last as long as other C-level executives, CIO Peter Weis, who has been at the helm of IT for nine years at Matson Navigation, a transportation and logistics firm, said that, "There are always a lot of headwinds for CIOs to try to get through. CIOs can do outstanding work yet still catch the blame when business models sour, strategy shifts or top management changes."

The Target data breach certainly qualified as a major headwind.

Forty million credit and debit card accounts were compromised in a breach of the company's payment infrastructure that occurred between November 27 and December 15, 2013. The data stolen included customer name, credit or debit card number, card expiration date, and CVV (a card's three-digit security code). Major card issuers like Capital One reissued cards to cardholders whose data had been exposed in the breach.

The publicity was relentless. In a high-profile situation like this, some heads have to inevitably fall and the CIO's was the most logical casualty, but should she have been?

Initially, the U.S. Security Service reported that the Target security breach was highly sophisticated--perhaps one that could not have been anticipated by ordinary means--yet, follow-up reports featuring analysis from Mc Afee called it a "Breach 101 operation."

McAfee said the thieves modified off-the-shelf malware, and then they used very common methods to hide the malware inside Target's point of sale system. They didn't even encrypt the instructions on where to send the stolen card data or the card information as it was being transmitted out of Target to a remote server. McAfee maintains that the transmitted data stream should have been detected and caught.

To appease stakeholders, critics, and customers, Target is making major moves. "Target's first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence," said Gregg Steinhafel in a statement.

Accordingly, Target has engaged a forensics team to perform a post-mortem analysis to determine exactly what happened, and why it wasn't detected. Target is now looking for a new CIO, chief information security officer, and chief compliance officer. Target is also realigning security responsibilities under the new chief information security officer, and no longer dividing it among several executives.

This brings us back to the original question of whether Target's CIO should have resigned.

Responsibilities in large organizations (and this applies to many organizations besides Target) are often split between C-level executives. The security breach came in through the point of sales system, which might not have been under the CIO's direct supervision. However, not detecting the security breach certainly seems to be a CIO responsibility. The long and the short of it is there was probably enough "spread" responsibility and blame that others could have gone as well.

Could Jacob have remained Target's CIO?

A number of years ago, a CIO at a payment processor was singled out when one of his card supervisors (who reported to a card processing middle manager) failed to process nearly one million dollars worth of payments. The breach was discovered by auditors, and the consequence was a major confrontation with cardholders, many of whom chose to take the position that somehow, the institution had decided to "forgive" their debt. Ultimately, 80 percent of the payments were processed late and then paid in by cardholders, but several cases went to court. The CIO, who knew nothing about the supervisor's failure to process work until the auditors uncovered it and was not informed of it by his middle manager, was brought before the board.

The good news for the CIO was that the adverse publicity was confined to a small geographic area (it was a local institution), and did not warrant a mention in major news outlets. Arguably, the CIO could have lost his job because he bore ultimately responsibility for card processing in the organization, but neither his board nor his CEO felt that a CIO dismissal was called for, given the seven years of stellar performance the CIO had provided during his tenure.

Unfortunately, in a high-profile situation, it is much more difficult for CEOs and boards to take a protective stance for employees who bear ultimate responsibility for functions that fail, because stakeholders expect immediate action. Going forward at Target, it sounds like positions that formerly were charged with security responsibilities will be losing them, so the pain was shared.

It is noteworthy that Jacob spent five years in the CIO position, perhaps the toughest C-level position in any company. Clearly, she had a demonstrated record of delivering value to Target. Nevertheless, she elected to take the high road in tendering her resignation.

Should she have resigned? We don't know the internal discussions that transpired, but it is likely that resignation was presented to her as a "polite" option for leaving, as it often is to senior executives.

Was she a sacrificial casualty? Again, it's hard to say without knowing more about the situation, but often, CIOs are let go because systems (and those most responsible for them) are easiest to blame.

Could she have done anything to save her job? It's difficult to answer, but many CIOs will tell you that when the tide of disfavor is rapidly rising and the current is beating against your door, there simply is no way back to shore.

CIOs already know that situations like this are a possibility, because virtually every aspect of the business these days is run on systems. When systems fail, even if the wrongdoing originates in business operations, the CIO is still a "best bet" lightening rod to attract the blame.

Nevertheless, the challenges, the variety, the risks, and the rewards of IT continue to attract professionals to the CIO position. IT CIOs are a breed distinct from others who work in "safer" C-level positions--and for most tech CIOs, they wouldn't have it any other way.

Note: TechRepublic and ZDNet are CBS Interactive properties.

Visit TechRepublic