5-Step Plan For New Target CIO - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IT Leadership // CIO Insights & Innovation
02:00 PM
Connect Directly

5-Step Plan For New Target CIO

Target's new CIO, Bob DeRodes, faces tough challenges as he upgrades information security processes. Here's my armchair quarterback advice.

DeRodes will do himself and Target a favor if he presents periodic reports on progress; doing so will help to rebuild Target's IT credibility. And these types of reports also help with internal morale, which must be low. More on that in a moment.

Step 3: Don't get in the way.
It's likely that everyone in the Target IT organization has been wearing a scarlet breach "B" on their collective chests, ashamed of the breach and the financial and PR consequences. Those who have stuck around are working their keisters off to make things better.

My guess is that 80% or more of the activities already happening (see point No. 2) are exactly what Target needs. The worst thing DeRodes could do in this situation would be to jump in and further demoralize staffers by throwing out their plans because he wants to put his own stamp on things.

DeRodes won't. He's too experienced to make that mistake. He'll intervene when he sees a clear need to do so. Otherwise, he'll mostly keep out of the way after he assesses and tweaks the plan.

Step 4: Assess and address staffing.
The most important thing a CIO does is attract and retain the right talent -- and encourage the wrong talent to go elsewhere. DeRodes will do one-on-one interviews with a handful of key staffers, and he'll assess the rest of the team by proxy, by reviewing them with his managers. He may also use a sampling strategy, where he compares what one of his managers says about a staffer with what his own interview and assessment tells him. My guess is that he won't sample very much unless he starts worrying about the competence or leadership abilities of his management team.

The worst thing for Target, given how demoralized key staffers are, would be to let experienced, talented IT people walk out the door. Retaining the right people will be hugely important.

DeRodes will also assess whether staffing levels are adequate. Security tasks sometimes don't get done when folks are insanely busy. My guess is that Target will overcompensate for security for the foreseeable future.

Step 5: Build a new IT culture.
When the CEO states publicly that he hired you for your "history of leading transformational change," you'd better get cracking. Significant change always requires a reboot of the organizational culture. DeRodes won't start doing that until the basics are in order: current security plan being followed, chip-and-PIN project on track, staff assessment completed, etc. But it will loom large on his agenda.

Anybody can come in and implement projects. But creating lasting change will require a lot more effort. It's not a cookie-cutter project. DeRodes must take what he learns from Steinhafel, from his staff assessment, and from his peers and put together an almost forensic reconstruction of what went wrong and how a change in basic work values could have made a difference. This assessment is an important step toward creating guiding principles that both jibe with Target's overall values and steer employees to do the right things, even when there's no explicit policy to guide them.

For example, DeRodes will be digging into why Target's security team ignored data breach alarms. Yes, the technical reasons are that Target, not unlike many organizations, chose to take manual, not automated, action, likely because of fear of false positives shutting down important business processes. But was there also a culture of "mother-may-I?" going on? Were individual security analysts empowered to take swift action, or did they have to embark on a chain-of-command journey to do anything? When you have the correct core values in place (as opposed to needing a specific policy for every contingency), employees take action.

This is arguably the hardest but most important part of creating lasting change. DeRodes has his work cut out for him.

Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and we offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators. Read our InformationWeek Elite 100 issue today.

Jonathan Feldman is Chief Information Officer for the City of Asheville, North Carolina, where his business background and work as an InformationWeek columnist have helped him to innovate in government through better practices in business technology, process, and human ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/30/2014 | 9:19:24 PM
Re: Advice from the Front Lines
The most important factor that took my attention was "Assess and address staffing". Retaining the good talents has become a challenge age for the CIO, hence he has to focus on it very much.
User Rank: Ninja
4/30/2014 | 9:16:04 PM
Re: Advice from the Front Lines
I agree with you. It is always important to listen since it gives more space for good decision making.
Craig Carpenter, AccessData
Craig Carpenter, AccessData,
User Rank: Apprentice
4/30/2014 | 6:15:30 PM
Advice from the Front Lines
Excellent story Jonathan, the front lines are always the best place from which advice should come.  If I were Bob De Rodes, I would be listening!
User Rank: Author
4/30/2014 | 5:58:14 PM
Re: Blow Your Own Horn
The big chip-and-pin payment terminal plan illustrates the opportunity -- now is the time to go big on initiatives that wouldn't have been possible before the breach. Think anyone ever thought about those kind of payment terminals before? Such security steps face the "do we have to?" and "why now?" questions. Now security will take center stage -- for a bit.
User Rank: Author
4/30/2014 | 3:09:29 PM
Blow Your Own Horn
I like Jonathan's emphasis on "visibly" delivering on what the Target CEO and shareholders want. CIOs in all industries need to blow their organizations' horns more -- get better at communications and PR. Critical in this day and age.

Lorna Garey
Lorna Garey,
User Rank: Author
4/30/2014 | 2:43:04 PM
Expensive, Massive, Doomed
Security as practicied by large companies today looks way too much like a massively multilevel game of whack-a-mole. So many regs, so many segments, so many stupid end users er, inside threats. There's no way around it, but how sustainable is it? The costs have to be passed along to consumers. At what point do we just surrender and all just get credit cards that expire every month?
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
The Growing Security Priority for DevOps and Cloud Migration
Joao-Pierre S. Ruth, Senior Writer,  9/3/2020
Dark Side of AI: How to Make Artificial Intelligence Trustworthy
Guest Commentary, Guest Commentary,  9/15/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
Flash Poll