"The buck ultimately has to stop at the highest level of executives, and if executives don't care about security, there have to be consequences."
John Kindervag, Vice President, Forrester Research
Industry observers said Steinhafel's de-facto ouster may be a turning point for enterprise information security's importance in the C-suite, proving that CEOs must take infosec seriously -- or face the consequences.
The Target data breach saga -- resulting in the loss of approximately 40 million payment cards and the personal information of up to 70 million customers -- has embroiled the retail giant since its discovery. Facing dozens of lawsuits, several congressional hearings, and a stock that as of press time had fallen 5.6% this year, Steinhafel seemed unable to move the company past the public relations hit it suffered as a result of the incident.
The Costs of a CEO Transition
While Gregg Steinhafel may no longer be Target's CEO, he's leaving with a significant bit of cash, stock, pension benefits and deferred pay.
The company said in a Monday filing that Steinhafel, 59, will receive unspecified severance after announcing his resignation five months after the massive security data breach.
Standard severance pay among chief executives is typically three times annual salary. But Target executives have no employment contracts. Still, the company's "income continuance policy" provided to terminated senior managers covers two times base salary, plus the total average of three years of short-term incentives and personal performance payouts.
According to Target's 2013 proxy, Steinhafel could receive at least $11.7 million salary and incentive pay, pension benefits worth over $1.2 million and over $42 million in deferred compensation. Steinhafel also had $12.7 million in restricted shares that would vest.
Target has hired a new chief information officer, Bob DeRodes, to help overhaul its data security systems in the wake of the breach. DeRodes has 40 years of experience in information technology and replaces Beth Jacob, who resigned in early March. DeRodes, who took over the day of Steinhafel's announcement, has been a senior information technology adviser for the Center for CIO Leadership, the U.S. Department of Homeland Security, the U.S. Secretary of Defense and the U.S. Department of Justice.
The breach that led to the resignation of Jacob, also led to the creation of two new positions: Chief Information Security officer and a Chief Compliance Officer. The idea that the Chief Compliance Officer is a newly created position may say more about the company's priorities and culture than the executive resignations.
"It has been reported that Target's computer security staff raised concerns about vulnerabilities in the retailer's payment card system at least two months before the breach," said Jack Healey, CFE, CPA/CFF, Firestorm Expert Council Member and Co-founder of Genesis Management, "and, as Target sees numerous threats each week, it's possible that viewed as a cost center, IT and the threat security team could prioritize only so many issues at a time based upon resources and corporate priorities."
"And while the hiring of Bob DeRodes is a positive step," continued Healey, "they [Target] are behind the times in doing so for a company of their size and market impact."
Several members of Target's cybersecurity team left the company in the months before the hack. This exit of intellectual capital may have added to the growing lack of oversight and communication.
It should be noted that Chief Financial Officer John Mulligan told Congress in February that the company wasn't aware the malicious computer code that carried out the attack was in its system until contacted by federal investigators late last year.
Jim Satterfield, Firestorm President and COO:
"Ultimately, the Board has responsibility for overall governance. The Board must send a message to consumers and the marketplace, that it will put the appropriate programs in place."
"Whatever controls were in place previously simply didn't work; information was silo-ed and not communicated well, and so the criticality and urgency of the possibility of vulnerabilities was lost."
"Will the new CEO succeed? Only time will tell, but the focus must be on creating a program that is dynamic, well-monitored, and actionable - this is critical in today's business environment. Moreover, the Board must now make it a point to meet in-person monthly, to not only demonstrate their commitment to addressing critical governance issues, but to actually do something about them."
Timeline of Breach Event
Dec. 19, 2013: Target acknowledges that data connected to about 40 million credit and debit card accounts was stolen as part of a breach that began over the Thanksgiving weekend. The theft marks the second-largest credit card breach in U.S. history. Steinhafel issues a statement of apology the following day.
Jan. 10, 2014: Target announces that in addition to the credit and debit card numbers, personal information — including phone numbers and email and mailing addresses — were stolen from as many as 70 million customers in the breach, putting them at risk of identity theft.
The chain also said its sales had been hurt by the breach, cutting its forecast for fourth-quarter earnings and a key sales barometer.
Jan. 29, 2014: Target says investigators found that hackers stole credentials from a vendor to access the retailer's systems. It did not identify the vendor at the time, but a Pittsburgh-area heating and refrigeration business that did business with Target later came forward to say that it also was the victim of a sophisticated cyberattack.
Feb. 26, 2014: Target says its fourth-quarter profit fell 46 percent on a revenue decline of 5.3 percent as customers became spooked about the safety of their private data.
While Target said sales have been recovering since the breach, it expects business to be muted for some time. It issued a profit outlook for the current quarter and full year that was below Wall Street expectations.
March 5, 2014: Chief Information Officer Beth Jacob resigns, first executive caught up in the fallout of the breach.
April 29, 2014: Bob DeRodes, who has 40 years of experience in information technology, is named as new chief information officer.
The company also says that MasterCard Inc. will provide its branded credit and debit cards with the more secure chip-and-PIN technology that it says will be coming out next year. That will make Target the first major U.S. retailer that will have its own branded cards with such technology.
May 5, 2014: Target announces Steinhafel's departure and names Chief Financial Officer John Mulligan as interim president and CEO.