Gregg Steinhafel, former Chairman and CEO of Target Corporation stepped down earlier this month. The primary reason stated was because of the continued fall-out from the 2013 massive data breach. And massive it was! In case you don’t recall, up to 110 million customer records were compromised.
It is interesting to note that there are a multitude of explanations as to what exactly happened in this debacle. Some say hackers broke into to the Target organization through the system of one of their suppliers, a seemingly innocuous HVAC company. Others say, the breach came through the magnetic stripe on the back of your credit card which stores data and personal information.
No matter where the infiltration came from, the results are the same. Personal and private information found its way into the hands of those who have no reason to possess it and are motivated by objectionable ambitions. Target made big news when this event happened but some lesser known casualties perhaps provide some sense of this issue:
-Last month, two hackers pleaded guilty to accessing accounts at Citibank, JP Morgan Chase, PayPal, TD Ameritrade, the U.S. Department of Defense, TIAA-CREF and others to defraud these companies and their customers of more than $15 million.
-Earlier this year, Neiman Marcus reported that they were working with U.S. Secret Service to investigate compromised credit card activity. It seems that hackers moved undetected in the company’s computers for more than 8 months!
-These types of events did not begin yesterday. In 2008, thieves simultaneously hit more than 2,100 ATMs across the globe and within 12 hours stole more than $9 million in cash. According to the FBI, the attack “started when a 28 year old Moldovan man learned of a vulnerability in the computer network of a major credit card processing company based in Atlanta.”
And the list goes on. It seems that almost daily we read about some unauthorized data breach. Quite simply, as we get more and more digital we become more and more vulnerable. In fact, the term cybercrime, which is now defined in the Oxford Dictionary, was only coined in the late 1990s. The rate of change and associated challenge is monumental.
So where does that leave your board of directors? Clearly, boards must understand and focus on cyber security. This is part of their fiduciary duty. However, the mechanics of making this happen are still up for debate. One school of thought feels that cybersecurity is the responsibility of the entire board and another believes its rightful place is in the hands of the risk committee. But what if the board does not have a risk committee? What if the board does not have technology expertise? Or if their technology expertise is antiquated? Technology expertise in this case, by the way, does not refer to the CEO or former CEO of a technology company. Rather it indicates a true technologist in the form of a Chief Technology or Chief Information Officer. Someone who understands enterprise technology systems and has managed decisions relating to them.
Getting back to Target, major kudos to the board for having excellent operational experience. CEO’s abound on this board. There is also international expertise and diversity both in terms of gender and ethnicity. But where is the technology savvy? Where is the understanding of cyber-security and cyber-risk? As Greg Steinhafel was working though the Target crisis with his team, surely he would have benefitted from a technologist on his board. In fact, dare I speculate as to whether this would have been as disastrous had there been some technology expertise assisting with the steering of this ship.
Clearly, as Target and most other companies increasingly rely on technology to run their businesses, such proficiency in the boardroom will not be an option. Hindsight is of course 20/20 and hopefully Target will take this opportunity to assess their board and round out its competencies.