Key Positions Absent at Target

Sometimes you just have to wonder, “What were they thinking?”

In today’s Wall Street Journal article, “Executive at Target Resigns After Data Breach,” author Paul Ziobro writes that one top-level official is resigning after the recent massive data breach at Target.  This doesn’t come as a surprise, as one would expect fallout due to Target’s poor financial performance after the breach was made public.

What I do find to be truly surprising and noteworthy  is what else is revealed in the article:

“Target is looking at external hires for two other key roles: chief information security officer, a new position, and chief compliance officer, a role that was previously consolidated under Ann Scovil, vice president of risk assurance and compliance.”

Seriously? Are you kidding me? Target has a market cap of $39B, over 1,700 stores in 49 states, over 360,000 employees, and it didn’t have a chief information security officer or a dedicated chief compliance officer?

If this were 1999, I could understand Target’s lapse on these key corporate roles. But it is 2014, any Fortune 1000 company without a CISO and CCO should have its board summarily sacked.

Would either of these positions have prevented the attack on Target? Probably not; however, responsible CIOs and CCOs would have made sure  controls were in place, such as continuous compliance monitoring. They  also would have had their payment systems walled off from the rest of their network. Most importantly, there should have been automated controls to warn system administrators that rogue files had been installed on their point-of-sale (POS) systems— well before the situation got out of hand.

The CISO and CCO roles are without a doubt as important as the CFO’s. In the past, fraud was probably the most dangerous activity that could befall a corporation—taking down a thriving business in one fell swoop. Today, however, corporations literally go to war without an offensive weapon in hand against the world’s cybercriminals, many of whom are sponsored by their governments. It’s like going into a gunfight unarmed and unprotected.  Having a competent CISO and CCO can provide body armor for the corporation’s network.