It's armchair quarterback time. Target has hired a new CIO to replace Beth Jacob, who resigned in March following a massive security breach at the big-box retailer. Since everyone was second guessing Jacob during her final days, it's fitting that the mob has its say now.
But let me be blunt and serious: I found the whole vilification of Jacob to be the worst kind of techno-blamestorming -- by business and technology leaders, journalists, and other pundits. There's a big difference between mistakes and negligence. Though Jacob and her team clearly made missteps, enterprise infosec is an excruciatingly difficult game to play. I know; I've been there.
Infosec is a team sport that requires everyone, not just the IT organization, to participate. Businesses demand agility/flexibility and complain about too many false positives. Employees dismiss infosec as "an IT thing" and proceed to type their passwords into every one out of 100 simple phishing attacks that make it past email security, even though the security training they ignored while playing Bejeweled Blitz on their smartphones clearly spelled out what to do in these types of situations.
Even key players in finance and in risk management aren't always on board, chastising IT and infosec leaders for their paranoia or for playing "gotcha games" via their legitimate drills. Anybody who hasn't been in the CIO's worry seat can't possibly imagine how much of a no-win scenario this can be. As Craig Carpenter, AccessData's chief cyber-security strategist, put it, the bad guys need to be right only once, but the good guys have to be right all the time. Yes, the scope of the Target breach was staggering, resulting in the theft of 40 million credit and debit card numbers. But as an incumbent CIO who understands that not all the details of internal stories make it to the light of day, I'm wondering how much of that breach can be traced back to a lack of infosec buy-in and support from Jacob's peers and Target's employees.
That's why Target has made a great choice in picking a retired CIO to reboot its IT. Bob DeRodes, the former CIO of Home Depot, has stared down the retail infosec demon before. My bet is that this is a temp job for him -- he'll do what's necessary without worrying about hurting anyone's feelings, and then he'll move on. For that reason, Target made the right move. It needs someone who can focus on the post-breach IT cleanup, someone without career or money worries. (DeRodes earned a total compensation package of almost $5 million for his final year at Home Depot).
So here's my armchair quarterback five-step plan for DeRodes. In this case, I'll skip the usual Step 6, which would have been "Prepare Your Parachute." Most new CIOs must prepare for the possibility of discovering that executive management says it has learned its lessons about resourcing and prioritizing security but still isn't prepared to follow through.
Step 1: Get clear on what the CEO wants.
Gregg Steinhafel, Target's chairman and CEO, has publicly declared what he wants from DeRodes: "Establishing a clear path forward for Target following the data breach has been my top priority... Bob's history of leading transformational change positions him well to lead our continued breach responses and guide our long-term digital strategy." Translation: Change our IT so that an embarrassing security breach doesn't happen again, while creating technology excellence throughout Target. As always, the "how" is the hard part.
My prediction is that DeRodes, very early on -- he probably started while negotiating for the job -- will be having deep conversations with Steinhafel to establish what the CEO wants and to set realistic expectations about what can be accomplished in 30 days, 90 days, and the coming year. This is also the opportunity for DeRodes to sniff out how much Steinhafel buys into the notion of creating a culture of information security and IT excellence, and how much he's willing to pay for it.
Step 2: Visibly deliver on what the CEO and shareholders want.
Target already has ambitious plans for shoring up security, including a very public-facing deployment of chip-and-PIN security payment terminals in all its stores by September. Job No. 1: Don't screw that up. And when you make progress, tell everyone about it.
When Target appointed DeRodes, it also outlined other security measures being implemented, including enhancements to monitoring and logging, new "whitelist" firewall rules, enhanced network segmentation, a firewall governance process, reviews and limitations on vendor access, a decommissioning of FTP and telnet, a coordinated reset of 445,000 Target employee and contractor passwords, and a broadening of two-factor authentication. Whew. Some of those things should have been done already, of course. Telnet and FTP? Really? But some of it, notably network segmentation, isn't yet widely implemented across industries. Most IT organizations still believe in perimeter security. That's really been dead for some time, but that's another story.
DeRodes will do himself and Target a favor if he presents periodic reports on progress; doing so will help to rebuild Target's IT credibility. And these types of reports also help with internal morale, which must be low. More on that in a moment.
Step 3: Don't get in the way.
It's likely that everyone in the Target IT organization has been wearing a scarlet breach "B" on their collective chests, ashamed of the breach and the financial and PR consequences. Those who have stuck around are working their keisters off to make things better.
My guess is that 80% or more of the activities already happening (see point No. 2) are exactly what Target needs. The worst thing DeRodes could do in this situation would be to jump in and further demoralize staffers by throwing out their plans because he wants to put his own stamp on things.
DeRodes won't. He's too experienced to make that mistake. He'll intervene when he sees a clear need to do so. Otherwise, he'll mostly keep out of the way after he assesses and tweaks the plan.
Step 4: Assess and address staffing.
The most important thing a CIO does is attract and retain the right talent -- and encourage the wrong talent to go elsewhere. DeRodes will do one-on-one interviews with a handful of key staffers, and he'll assess the rest of the team by proxy, by reviewing them with his managers. He may also use a sampling strategy, where he compares what one of his managers says about a staffer with what his own interview and assessment tells him. My guess is that he won't sample very much unless he starts worrying about the competence or leadership abilities of his management team.
The worst thing for Target, given how demoralized key staffers are, would be to let experienced, talented IT people walk out the door. Retaining the right people will be hugely important.
DeRodes will also assess whether staffing levels are adequate. Security tasks sometimes don't get done when folks are insanely busy. My guess is that Target will overcompensate for security for the foreseeable future.
Step 5: Build a new IT culture.
When the CEO states publicly that he hired you for your "history of leading transformational change," you'd better get cracking. Significant change always requires a reboot of the organizational culture. DeRodes won't start doing that until the basics are in order: current security plan being followed, chip-and-PIN project on track, staff assessment completed, etc. But it will loom large on his agenda.
Anybody can come in and implement projects. But creating lasting change will require a lot more effort. It's not a cookie-cutter project. DeRodes must take what he learns from Steinhafel, from his staff assessment, and from his peers and put together an almost forensic reconstruction of what went wrong and how a change in basic work values could have made a difference. This assessment is an important step toward creating guiding principles that both jibe with Target's overall values and steer employees to do the right things, even when there's no explicit policy to guide them.
For example, DeRodes will be digging into why Target's security team ignored data breach alarms. Yes, the technical reasons are that Target, not unlike many organizations, chose to take manual, not automated, action, likely because of fear of false positives shutting down important business processes. But was there also a culture of "mother-may-I?" going on? Were individual security analysts empowered to take swift action, or did they have to embark on a chain-of-command journey to do anything? When you have the correct core values in place (as opposed to needing a specific policy for every contingency), employees take action.
This is arguably the hardest but most important part of creating lasting change. DeRodes has his work cut out for him.
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and we offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators. Read our InformationWeek Elite 100 issue today.Jonathan Feldman is Chief Information Officer for the City of Asheville, North Carolina, where his business background and work as an InformationWeek columnist have helped him to innovate in government through better practices in business technology, process, and human ... View Full Bio