Retail giant Target had a first in June 2014: a chief information security officer. For a company with nearly $73 billion in global sales last year, 366,000 employees (with an additional 50,000 during the holiday season), and close to 1,800 stores — to say nothing of the e-commerce site — that may seem surprising to anyone with an information systems degree.
However, after a massive data breach that was the subject of many stories and lengthy explanations to stock analysts and investors as well as a dedicated webpage, the addition is understandable. More than 40 million debit and credit card accounts may have been affected.
Profits fell by 40 percent in the fourth quarter of 2013. The company planned to spend an additional $5 million on cybersecurity. But, as people with degrees in information science could probably guess, the problem with digital security is almost never simply an issue of cash and technology.
Both the CIO and CEO of the company would lose their jobs over the data breach. However, pointing at an executive, no matter how richly deserved, is to ignore that most problems in companies, including a lack of security, are systemic in nature. It isn’t that one person makes a major mistake, although that could be the case. Instead, a company’s culture encourages some actions and discourages others. Chances are good that Target management hadn’t wanted to spend more money on security and likely didn’t find the topic of security particularly interesting.
In other words, the organization as a whole displayed a lack of responsibility. Management deemed the potential security problem, which exists in virtually every organization that depends on digital technology, unimportant. And a third party had certified Target’s PCI compliance, which means that the company was, in theory, doing all the right things to protect credit card data in its most recent assessment.
When there are multiple failures, there is a lack of responsibility. The people directly in charge of ensuring security were at fault. So was the consultancy that didn’t notice potential issues. As was upper management that should have asked hard questions and provided the attention and budget necessary to keep data safe.
Perhaps having a CISO will help. It should be a step in the right direction. But expertise and focused emphasis on an ongoing need in a company only helps if the organization as a whole changes its relationship to problem. If IT and general management treat the hire as the solution and an excuse for a return to practical indifference, nothing will change.