Don’t Blame Target’s Audit Committee For The Sins Of Technology Management

Yesterday, Institutional Shareholder Services (ISS), a third-party advisor to Target Corp. investors, recommended ousting Target’s Audit Committee because they failed to do appropriate risk management, resulting in a breach of customer data. According to Twin Cities Business Magazine, ISS stated that “… in light of the company’s significant exposure to customer credit card information and online retailing, these committees should have been aware of, and more closely monitoring, the possibility of theft of sensitive information, especially since it involves shoppers and the communities in which the company operates, as well as the overall impact on brand reputation and brand value.”  This suggests a fundamental lack of understanding of both the nature of the breach and who should be held responsible for the outcome.

First, let's understand what really happened here: Target updated their point of sale (POS) systems before the holiday season. There was a known vulnerability in those POS systems that let credit card data travel between the POS system and the register before it was encrypted and sent off to the clearinghouse for approval. Target’s technology team was warned of the vulnerability and DECIDED that the risk was worth accepting – not the board, not the auditors; it was the people involved in the project who accepted the risk of losing 70 million records. When departments accept that level of risk, they in essence, end the conversation.  The audit committee and board of directors would be none the wiser. When was the last time you notified your board about how you were disposing of hard drives? 

Never, right?

Second, the attackers got to the POS system through a third party’s credentials that had access to system management server (SMS), which, in turn, had access to EVERYTHING, including the POS system. That SMS server had a default password attached to a user account with global administrative rights that wasn’t changed after install. Some would say that the internal auditors should have caught that. But the offending server wouldn’t be part of the scope of a risk-based audit. I will ask again, when was the last time you called a SMS server, which is basically a utility server, a critical application that has an impact on financial reporting or card holder data?

 Never, right?

Third, there were notifications from the third party that managed Target’s security monitoring. Those alerts went unaddressed and the chance to mitigate the risk and change the outcome was lost in the lack of attention given by the Target IT department. One more time, when was the last time you let the internal auditors or board of directors know about a security alert that you got two weeks before your busiest day of the year?

 Never, right?

If you want to blame the board and the audit committee, blame them for not doing appropriate risk management or due diligence when expanding into the Canadian market, resulting in a $2 billion loss.  But you can’t, and shouldn’t, blame them for a breach that was clearly the fault of security and the technology management team. And let this be a lesson to other retailers – PCI compliance is not a vaccine against a breach, it's just an indicator that you are walking on or around the right path. It's just as important to have a strong risk management program deeply embedded inside your technology management department that takes away any vagaries, with appropriate escalation to executive management, right up to the Chief Risk Officer.

Finally, one more question: When will retailers understand that they are just as much a data and technology company as they are a supplier to consumers?

Soon, I hope.  

Comments

The security team should not

The security team should not accept any risk. They make recommendations to the business about what the business should accept.

It's possible that the security team had a process that included risk ranking and they might have gotten this wrong. This might mean that the business was essentialy mislead. It's also possible that the process was so poor that it didn't include business sign-off, which is the kind of thing a CISO is supposed to ensure exists. Of course, it's well known that they didn't have one.

When it comes down to it, I don't accept the premise of your posting.

You imply that the security team was delegated what would be an inappropriate level of responsibility. The security department should not accept this responsibility.

Business leaders are ultimately accountable for risk and must be careful to understand who is taking responsibility on their behalf. Accordingly, admitting some large assumptions, the business and their agents (auditors) have been appropriately held accountable for this grandiose error.

They cannot delegate this accountability, after all. If my assumptions about immature processes are true, the audit team should have seen this as they are asked by the business to review how accountabilities and responsibilities are owned and executed across the org. Heck, they should have harped on the fact that Target did not have a CISO.

Nice Post.. Excellent Info..

Nice Post.. Excellent Info.. Really amazing.. This was a fantastic article... really superb....

I agree with your specific

I agree with your specific points but I would argue that the Audit Committee should be held accountable for the broader issue regarding lack of a dedicated CISO.

It has been well documented that companies (especially large companies that handle PII and Financial data) need a CISO and security strategy. The following article from 2010 talks about the Ponemon report conclusions on the benefits of a CISO as it relates to the cost of a breach:

"http://www.csoonline.com/article/2124815/malware-cybercrime/report--cisos-keep-breach-costs-lower.html"

I would argue they allowed an environment that permited systemic insecure activities to be the norm for many years despite the growing threat, increased awareness of security attacks and evidence of sound security practices.

I agree with your specific

I agree with your specific points but I would argue that the Audit Committee should be held accountable for the broader issue regarding lack of a dedicated CISO.

It has been well documented that companies (especially large companies that handle PII and Financial data) need a CISO and security strategy. The following article from 2010 talks about the Ponemon report conclusions on the benefits of a CISO as it relates to the cost of a breach:

"http://www.csoonline.com/article/2124815/malware-cybercrime/report--cisos-keep-breach-costs-lower.html"

I would argue they allowed an environment that permited systemic insecure activities to be the norm for many years despite the growing threat, increased awareness of security attacks and evidence of sound security practices.

Post new comment

If you have an account on Forrester.com, please login.

Or complete the information below to post a comment.

(Your name will appear next to your comment.)
(We will not display your email.)
Email me when:
Type the characters you see in this picture. (verify using audio)
Type the characters you see in the picture above; if you can't read them, submit the form and a new image will be generated. Not case sensitive.