CIOs in hot seat since Target data breach
After the retailer’s shocking data breach, companies and organizations are boosting data-security budgets and chief information officers face increased pressure to prevent cyberattacks.
The Associated Press
NEW YORK — The departure of Target’s chief information officer in the wake of the company’s massive pre-Christmas data breach highlights the increased pressure facing executives who are charged with protecting corporate computer systems from hackers whose attacks are on the rise and becoming more sophisticated.
Years ago, the job of a CIO focused mainly on the upkeep of computer systems. In their largely behind-the-scenes roles, CIOs made most of their major decisions on what kinds of technological innovations a company would adopt, when and how much to pay for systems upgrades, and the creation and maintenance of company websites.
But the rise of computer crime in recent years changed the job description. At the same time, the surging use of personal smartphones and tablets in business settings has given CIOs even more technology to manage, along with countless new points of entry for hackers.
As a result, CIOs have their hands full as they adapt to their higher-profile roles.
Target’s breach sent shock waves through the profession. And CIOs from companies in all walks of business — from retail to banking and drug discovery — are using the breach to call attention to their struggle and garner more funds and staff to fight digital threats.
Cyberattacks were on the rise long before Target’s news that hackers had stolen 40 million debit- and credit-card numbers, along with the personal information belonging to as many as 70,000 people. A 2013 Hewlett-Packard-sponsored study by the Ponemon Institute found that the average annual cost of cybercrime incurred by a benchmark sample of U.S. organizations was $11.6 million per organization, a 26 percent increase from the previous year.
For a host of companies, the Target breach was a pivotal event that permanently altered the way they approach data security. Many CIOs say they’re receiving more support, but they say the trade-off is that they’re facing increased scrutiny from their CEOs and other executives. If their fortress walls fall to hackers, their jobs are on the line.
Ken Grady, CIO of life-sciences company New England BioLabs, says the new attention to data security has given him much-needed support from colleagues.
“If I have a breach in spite of all that, I need to be able to say that we did everything we could to prevent it,” Grady says. “If I can’t do that, then it would have a negative effect on me.”
Analysts believe the Target data theft couldn’t have had a positive effect on Beth Jacob, who had served as the company’s CIO since 2008. Target said Wednesday that Jacob’s resignation was her decision, but analysts say Jacob took the fall amid a slew of bad publicity for the Minneapolis-based company.
Target is in the midst of overhauling its information and compliance division and plans to look outside the company for a chief information-security officer and a chief compliance officer, two newly created positions. Before the overhaul, information-security functions were split among a variety of executives.
Tim Scannell, director of strategic content for the CIO Executive Council, a professional trade group, says companies have come to realize the importance of security. The result: boosted budgets and staffing increases. According to a recent CIO Executive Council survey, computer-security professionals say they expect an average increase of 8 percent in their budgets this year.
Scannell notes that even if a company isn’t a retailer that deals directly with consumers, most companies now have some kind of e-commerce operation, which makes them a potential target for an attack.
Meanwhile, the number of potential ways to breach computer systems has soared in recent years with the rise of smartphones and tablets, which along with home computers are used to remotely access company systems.
The new era of cybersecurity was a hot topic at the recent RSA tech-security conference in San Francisco. Daniel Ives, an analyst for FBR Capital Markets, said many professionals attending said data-security spending is rising.
Ives predicted a spending increase of as much as 15 percent this year, nearly double 2013’s growth rate of 8 percent. He estimates that businesses around the world will spend $30 billion to $40 billion this year on cybersecurity.
Ives says that while retailers, financial and health-care companies have the most to lose in the event of a cyberattack, any company that so much as uses mobile phones or puts customer data on its network is also at risk.
“Getting on the cover of The Wall Street Journal in some cyberattack is a CIO’s worst nightmare,” he said.
Universities also handle vast amounts of personal information. Gerry McCartney, Purdue University’s systems CIO, says public universities face the challenge of remaining transparent while protecting everything from student Social Security numbers to the research of their professors.
“If you lock data up like Fort Knox, people can’t use it,” he says. “It’s like locking your car up in the garage so you can’t get into an accident, but then what’s the point of having a car? You want your people to have access to data.”
McCartney adds that, in addition to malicious hackers, CIOs have to deal with accidental breaches that, for example, can occur if a well-meaning employee loses a thumb drive full of data.