I've been thinking about why Target's US CEO, President and Chairman stepped down and the associated technology governance competency issues.
Apart from Target's failed move into the Canadian market, the Christmas 2013 serious cyber-security breech where Target effectively 'stood by as 40 million credit card numbers—and 70 million addresses, phone numbers, and other pieces of personal information—gushed out of its mainframes' was apparently the last straw. TheBloomberg Businessweek take on events highlights fundamental issues for boards relating to cyber risk.
My first question is: 'Where was the board?'
Personally I consider that this example should put the final nail in the coffin of the dual role CEO / Chairman role that continues to exist in US corporates. I note that the Target role has now been separated, at least in the temporary replacements. Gregg Steinhafel was Target's Chairman, President, and Chief Executive Officer and also a 30+ year employee.
Two alerts were sent to Target several weeks before the cyber attack and were ignored. This suggests to me that as the CEO Steinhafel did not have the competency to lead a digital business.
This harsh competency-based judgement leads to my second question: 'What technology governance processes were in place that would get high risk matters of this type from operational governance to board risk oversight, and quickly?'
As CEO, Steinhafel should have expected any such alerts to be acted on instantly, that he was alerted and had operational processes in place accordingly.
However, even if the alarm had been raised, did the board have the right technology-governance processes and alerts in place to make sure they could direct and govern in an emergency?
I suggest that the management and board processes at Target to raise the necessary urgent alert at the right levels were disconnected.
Target is a case in point. Because Steinhafel most likely lacked Enterprise Business Technology Governance competency as a CEO, this almost certainly carried through into his chairmanship of the board. Clearly there was no proactive board leadership (direction) of technology-related risk.
Also, given the dearth of enterprise technology governance skills within corporate boards globally, it's reasonable to assume that technology governance capability was likely missing from the rest of the board. Further, my research confirms there being a broken link between IT governance within the business and corporate / board level governance.
The upshot was that Target has now faced, more than 90 lawsuits which have been filed by customers and banks for negligence and compensatory damages. 'That’s on top of other costs, which analysts estimate could run into the billions. Target spent $61 million through February responding to the breach...[and] profit for the holiday shopping period fell 46 percent from the same quarter the year before; the number of transactions suffered its biggest decline since the retailer began reporting the statistic in 2008'.
Technology-related opportunities and risks should be regularly reviewed and understood by directors and senior management. The trouble is, if you don't know what you don't know, your get what you get.
Incompetence or even reduced competence in a digital era can be very costly indeed, as evidenced by the growing list of iconic brands that have either gone out of business or that have lost significant market share, simply because they didn't see one technology impact or another coming...