The Associated Press reported today that Target’s CEO resigned, largely as a result of the damage done to the company in the wake of the massive credit card breach reported five months ago. You can read the AP’s full story here: http://www.wjla.com/articles/2014/05/target-ceo-fired-following-last-year-s-security-breach-102788.html
The gist of the story is contained in one paragraph: “He was the face of the public breach. The company struggled to recover from it,” said Cynthia Larose, chair of the privacy and security practice at the law firm Mintz Levin. “It’s a new era for boards to take a proactive role in understanding what the risks are.”
Boy. I’ll say. The last time I heard of a C-level executive (other than a CIO) who lost his job because of an IT failure, it was January 2005. The President of ComAir resigned three weeks after the company’s crew scheduling system failed on Christmas Eve 2004, stranding 30,000 passengers for three days during the busiest travel (and family) season of the year, an incident that also cost the company seven percent of its revenue for the year, not to mention a Federal government investigation.
But that was then, and this is now. In those days an IT-related incident with that level of consequence was one-of-a-kind. Not any more. Now IT risk is a societal issue worldwide–not an enterprise issue, or even an industry issue, but a global issue for anyone who uses a computer keyboard, which increasingly is everyone, period. It’s official: failure to take every reasonable action to ensure the security of computing resources can get a CEO fired.
Survey data from Gartner analysts such as Laura McLellan and Kurt Potter indicate that somewhere in the neighborhood of a third of all enterprise spending on IT is spent without input or advice from the IT organization, and that spending is increasing at a rate faster than the growth of the traditional IT organization’s budget. The increasingly widespread availability of cloud computing resources makes it easy for anyone with a budget to acquire IT-related services pretty much on demand. Whether that’s a good thing depends on your point of view. IT professionals, who are used to vetting IT services for performance issues that include security, availability, and reliability tend to take the point of view that it’s terrifically risky, and therefore not a very good thing; marketing and sales professionals, who often see IT’s apparent obsession with traditional performance virtues like security as obstructionist, tend to think otherwise. IT professionals know that these things can go horribly wrong; the new buyers haven’t had enough experience with IT to know that. The new buyers value speed-to-access above all. And why not? What could go wrong, after all? Doesn’t the stuff work?
The newly apparent answer is that the technology works until it doesn’t, and it might stop working when somebody with ill intent makes it his business to break it. If and when it fails, a CEO can pay the price. You can bet that CEOs everywhere sent out a barrage of memos to their Chief Marketing Officers today asking about what they’re doing to protect all the stuff they’re running in the cloud. The answers are likely to range somewhere between “not much” and “nothing.” Such answers were probably acceptable last week. They’re not acceptable now. Not if the CEO can lose her job over it.
I suspect that a lot of the non-IT professionals who are carefree buyers of IT services, in the cloud or elsewhere, are about to find out that the party is over, and from this point on their IT purchases are going to be subject to a new and much higher level of scrutiny. That doesn’t mean that enterprise IT spending outside the IT budget will stop. It might not even slow down. But the days when anyone in the enterprise could throw down a credit card and put a bunch of sensitive data anywhere they liked without having to demonstrate due diligence in protecting that data are probably drawing to an imminent close. Sarbanes-Oxley compliance became an urgent enterprise project when failure to comply meant potential jail time for the CFO and CEO. Managing IT risk for every IT purchase is about to become an urgent priority for similar reasons: the real costs, and the parties who will pay it, are now blindingly obvious.