There may be a little-considered aspect to former Target CEO Gregg Steinhafel’s mixed security legacy.  In the wake of Steinhafel’s resignation last week as the company’s president, CEO and Chairman of the Board, one cause that has been singled out in the eyes of many is the massive data breach that the company endured under his watch.

There is also a timing correlation of this resignation announcement with a ruling a month ago by the New Jersey District Court that upheld the Federal Trade Commission’s (FTC) ability to prosecute organizations that experience a data breach due to poor security policies.

For all the things the Target breach has done to the industry, all the fear, all the headlines and even outrage, it is important to recognize some of the things the event has done for the industry.

But as several analysts have indicated, focusing solely on the security breach amounts to a short view of the situation, because Target’s botched expansion into Canadian markets also weighed heavily on Steinhafel’s reign and resignation. For major organizations, inadequate data security gaps may become filled with increasing consequences.  In addition to litigation, reputation loss and financial losses, this resignation could harken an age of individual executive consequences when it comes to digital security breaches.

Highlighting the recent Target events is Tony Busseri, CEO of Route1, Inc,. a data security and identity management company, who said “the fact that Gregg Steinhafel was ousted as Target CEO is indicative of a sea change in data breach consequences for major corporations.”

Security writer Brian Krebs summarized some of the critical numbers, offering a unique perspective on the breach.  The stats are too good not to share:

40 million– The number of credit and debit cards thieves stole from Target between Nov. 27 and Dec. 15, 2013.

70 million – The number of records stolen that included the name, address, email address and phone number of Target shoppers.

46 – The percentage drop in profits at Target in the fourth quarter of 2013, compared with the year before.

200 million – Estimated dollar cost to credit unions and community banks for reissuing 21.8 million cards — about half of the total stolen in the Target breach.

100 million – The number of dollars Target says it will spend upgrading their payment terminals to support Chip-and-PIN enabled cards.

0 – The number of customer cards that Chip-and-PIN-enabled terminals would have been able to stop the bad guys from stealing had Target put the technology in place prior to the breach (without end-to-end encryption of card data, the card numbers and expiration dates can still be stolen and used in online transactions).

0 – The number of people in Chief Information Security Officer (CISO) or Chief Security Officer (CSO) jobs at Target (according to the AP).

18.00 – 35.70 – The median price range (in dollars) per card stolen from Target and resold on the black market (range covers median card price on Feb. 19, 2014 vs. Dec. 19, 2013, respectively).

1 million – 3 million – The estimated number of cards stolen from Target that were successfully sold on the black market and used for fraud before issuing banks got around to canceling the rest (based on interviews with three different banks, which found that between 3-7 percent of all cards they were told by Visa/MasterCard were compromised actually ended up experiencing fraud).

53.7 million – The income that hackers likely generated from the sale of 2 million cards stolen from Target and sold at the mid-range price of $26.85 (the median price between $18.00 and $35.70).

55 million – The number of dollars outgoing CEO Gregg Steinhafel stands to reap in executive compensation and other benefits on his departure as Target’s chief executive.

Perspective on the past, and future

Ironic ad placement from RSA 2014

It is easy to point out what went wrong on Steinhafel’s watch, though we may never have all the details.  Millions of accounts were compromised and Target’s security systems, technology and processes did not catch this problem before it was too late.  The industry can see from the outside looking in that something better has to be done, something beyond compliance and beyond what legacy security practices are able to provide.

One area to improve is Target’s executive line up, which seemingly lacked a Chief Information Security Officer (CISO) at the time of the breach.  Responsible for compliance, security, auditing and more, the CISO is one role that cannot be skimped on.  Thankfully Target has since brought on a new Chief Information Officer (CIO), Bob DeRodes, from outside the company, and also announced a move to advanced card technologies in 2015.  The Chip-and-PIN technology that Target is implementing may not have prevented this particular incident, but it does provide a welcome update in consumer security.  Target also put out that it searching for a CISO and various other critical security roles to fill out its ranks.

While Target restructures and recovers from its Canadian expansion woes and one of the biggest retail data breaches in recent history, reflecting on Steinhafel’s accomplishments requires a forward-looking perspective in addition to the summary of all that happened. From the first public comments following the breach incident, Steinhafel assumed responsibility and promised changes.  He has left the company on that track, yet perhaps the past was much to overcome.

With key, strategic executives in place and a responsible path towards better technology, the day may come when we look to Target not only as a retail security disaster, but also as a retail security success story.  Steinhafel plays a role in that potential turnaround and it should be acknowledged.

photo credit: las – initially via photopincc; RSA photo photo courtesy of Howard Haile