On May 5, 2014, Target announced the resignation of its CEO, Gregg Steinhafel, in large part because of the massive and embarrassing customer data breach that occurred just before the 2013 U.S. holiday season kicked into high gear. After a security breach or incident, the CISO (or whoever is in charge of security) or the CIO, or both, are usually axed. Someone’s head has to roll. But the resignation of the CEO is unusual, and I believe this marks an important turning point in the visibility, prioritization, importance, and funding of information security. It’s an indication of just how much:
- Security directly affects the top and bottom line. Early estimates of the cost of Target's 2013 holiday security breach indicate a potential customer churn of 1% to 5%, representing anywhere from $30 million to $150 million in lost net income. Target's stock fell 11% after it disclosed the breach in mid-December, but investors pushed shares up nearly 7% on the news of recovering sales. In February 2014, the company reported a 46% decline in profits due to the security breach.
- Poor security will tank your reputation. The last thing Target needed was to be a permanent fixture of the 24-hour news cycle during the holiday season. Sure, like other breached companies, Target’s reputation will likely bounce back but it will take a lot of communication, investment, and other efforts to regain customer trust. The company announced last week that it will spend $100 million to adopt chip-and-PIN technology.
- Consumers do in fact care about security and privacy. In an age where individuals broadcast every moment of their lives and practically their entire stream of consciousness through social media, one could be forgiven for assuming that consumers no longer care about the security and privacy of their data. However, consumers do care, and they proved it to Target and other retailers with what matters most — their wallets. See the first bullet for a summary.
- Security is a business responsibility and it’s key to winning in the age of the customer. Security is no longer the sole responsibility of the CISO or the CIO. It’s not an IT responsibility; it’s a business executive responsibility from the CEO to the CMO. We've had an ongoing debate within the Security & Risk team on whether it should be every enterprise’s number one corporate social responsibility. The debate is ongoing, but suffice it to say, if you want to win, serve, and retain empowered customers you must earn and retain their trust in every step of their lifecycle.
- Security must become an embedded feature, not an afterthought. In the development and delivery of customer-facing products and services, security must be an embedded feature. It can’t be something that you try to bolt-on after the fact. It’s like installing an aftermarket sunroof in your car, it never seems quite right and when it rains, you know it’s going to leak.
- Security affects the entire ecosystem, not just the breached company. The typical enterprise has hundreds of third-party relationships and partners (suppliers, outsourcers and service providers, resellers, influencers etc.) and so when a company experiences a breach, there is a ripple through the entire ecosystem. The breach obviously undermined customer trust in Target, but it also undermined trust in the security of credit and debit card payment processing — and that affects a multitude of financial institutions that issue and generate revenue from these cards, not to mention the card brands themselves.
During my five years as a research director, I have found that our annual surveys and ongoing research interviews always echo a common chorus from security leaders — namely, the inability to mature the security posture of the firm due to a lack of executive support and funding for security efforts. As a result of the Target breach: 1) the credit card brands will push for more extensive use of tokenization in payment processing; 2) all CIOs and CISOs will realize that they need to invest in the processes and analyst skill that underpin the SOC as they do in technology; 3) consumer-oriented firms will reassess the maturity and readiness of their incident management and forensics abilities; and 4) Target itself will become one of the first U.S. retailers to adopt chip-and-PIN. But in my opinion, the most important outcome will be the recognition that security, when done well, is not a barrier to business but an accelerator and a differentiator, and everyone in the organization, not just the CISO, but the board, the C-level and every line of business owner has a stake in security.