Target right to fire CEO over data breach, expert says
Cyber-security is so important that it is now a C-level matter, says AccessData strategist
It should come as no surprise that Target CEO Gregg Steinhafel has been fired over a massive data security breach, as security operations are now coming under the remit of C-level executives, according to Craig Carpenter, chief security strategist at AccessData.
The American retailing giant is still reeling after a data security breach that resulted in the theft of 40 million debit and credit card numbers in the United States. Personal information of up to 70 million shoppers could also have been compromised in the breach, reports said.
And while Steinhafel, as a CEO, would have had little to do with particular security operations across the company, Carpenter said, Target was right to fire him as it sends a message that security is now a C-level concern.
"While most will be, no one should be surprised that Target's CEO was fired over the breach they suffered. It seems - and may be - unfair, given Mr Steinhafel's stellar 35-year career with the retailer, especially considering the fact that very few CEOs of major companies will be intimately familiar with their own security operations," he said.
"But that is exactly the point. Cyber-security is so important that it needs to and will become a C- and Board-level matter, just like key hires, compensation of executives and broader corporate governance. The reason for this is simple. Cyber-threats are so pervasive and so potentially damaging to any corporate brand that the C-level and Board members cannot afford to not know what's going on."
Carpenter added that Steinhafel's dismissal would send a clear message to his C-level peers - that massive security incidents could lose them their jobs if not dealt with correctly.
In regards to the breach itself, Carpenter said that the fault was not down to Target's defensive measures, which he described as well-funded and actually detected the breach within a day. The real issue, he explained, was that Target was unable to effectively respond to the incident before it became bigger than the company could control.
"This story is entirely about Target's inability to separate the real alarms from the noise, and respond quickly, comprehensively and effectively to true cyber-threats," he said.
"And the vast majority of global businesses are in exactly the same position Target was (or even worse position), i.e. unable to manage incident response (IR) as a business process.
"The Target example will push global corporations and government entities to mature their IR posture. Incident response, which failed at Target, will become a key business process just like so many other operational processes, eventually being highly predictable, measurable and able to be relied upon every day."