Executives Educated by Target CEO resignation
Gregg Steinhafel, who has been Target’s Chief Executive Officer since 2008, has resigned months after one of the largest data breaches in history made Target stock value and sales plummet. He also resigned from the board of directors, although he will remain on in an advisory capacity. This is a major benchmark in data breach fallout, as Steinhafel, a 35-year veteran of the company, is the first CEO of a major corporation to lose his job over a breach of customer data. And given how lax most retailers are about their security (they spend, on average, only 6% of revenues, vs. 15% for banks), he won’t be the last.
Lesson #1: The CEO is Fair Game. A data breach caused deep within the organization (in Target’s case, by a third-party vendor) can now reverberate all the way to the top. No longer can a corporation blame a Chief Security Officer alone for a breach that impacts brand reputation. As I write, many corporations are scrapping their current org chart and having the CSO/CISO report directly to them. Not only has Steinhafel became the public face of the Target breach, but Target has become the poster child for the entire concept of security breach (replacing TJX, Sony Playstation and Heartland Payment Systems). Steinhafel’s own words ushered in the significance of his ouster:
“It’s a new era for boards to take a proactive role in understanding what the risks are.”
Target’s slow reaction to the breach (lack of proactivity) is seen as an underlying cause of Steinhafel’s departure and a second great lessoned to be learned:
Lesson #2: Delaying Recovery Risks Your Reputation. Have you ever noticed how unethical politicians lose their case not because of their actions, but because of the lies they tell to cover up their actions? The delay and denial games is just as risky with data security breaches. The quicker you come clean, the less collateral damage you incur to your brand reputation and recovery efforts.
Businessweek reported that Target’s cyber-security team had enough information to stop the massive leakage of 40 million credit card numbers and 70 million other pieces of personal information before it started – and did absolutely nothing about it. At the date their article was published, more than 90 lawsuits had been filed against Target by customers and banks for negligence and compensatory damages. That’s on top of other costs, which analysts estimate could run into the billions.
Also, Target reportedly waited nearly a month to reveal the breach to its customers, taking away valuable time when consumers could have been protecting themselves by changing passwords and closing accounts. Their attempt to placate the public by offering free credit monitoring services is a classic case of too little, too late.
Lesson #3: Wise Companies Understand the Equation: Prevention <$ Recovery. Recently, Target announced plans to become the first major U.S. retailer to have store credit and debit cards with chip-and-PIN security technology. As part of its $100 million effort, Target said all of its store-branded cards would be reissued as MasterCard chip-and-pin cards in 2015. But as I mentioned in a previous blog about how Target started to implement chip-based credit-card technology over ten years ago (they spent $40 million and installed 37,000 new POS terminals but scuttled the initiative for reasons including the fact that it slowed customer checkout), Stenhafel eventually chose speed and convenience over the security of his customers. If they hadn’t backed out of their original plans, they might be telling a very different story today as they watched other, less-secure stores go down instead. And Steinhafel would still have a job.
You tell me, is a $100 million investment worth saving billions of dollars down the road? From experience, I’ve learned that most organizations come to the realization too late. Your organization, however, has much to gain from the lessons we’ve all taken away from the Target CEO resignation.
John Sileo is President and CEO of The Sileo Group, which helps organizations from becoming the next disastrous data-security headline. Sileo specializes in making security stick, so that it works. John presents highly interactive, surprisingly funny keynotes for organizations like yours, just as he has for The Pentagon, Visa, Homeland Security and IBM. Contact John directly on 800.258.8076.