That someone had to take the fall for the massive breach at Target is neither surprising nor unexpected. The only question is whether more heads will roll in the aftermath of one the biggest data compromises in retail history.
Target on Wednesday announced that Beth Jacob, its CIO of more than five years, had resigned. The move comes less than two months after the retail giant disclosed it had suffered a data breach that exposed sensitive data on more than 40 million credit and debit cards.
Later, the company announced that emails, addresses and other information on another 70 million people might also have been exposed as the result of the intrusion, which occurred over the 2013 Thanksgiving weekend.
In a statement to the Associated Press, Target CEO Gregg Steinhafel said the company is searching for an interim CIO to help it through an information security overhaul that began after the breach.
Target is also elevating the role of the CISO and is looking for a chief compliance officer as part of the transformation effort.
Such moves are not that unusual for organizations that have suffered major breaches. In the past few years several CIOs and technology executives have been held similarly accountable for security lapses.
In 2012, the executive director of Utah's Department of Technology Services was forced to resign over a data breach that exposed the Social Security numbers and other personal data of about 280,000 Medicaid recipients. Utah Gov. Gary Herbert cited a lack of "oversight and leadership" in seeking the resignation.
In 2006, Maureen Govern, AOL's chief technology officer, quit her job in the aftermath of a disclosure that the company had publicly released data on searches done by about 650,000 of its online subscribers. Two employees in the company's research division, which was responsible for the release of the data, were let go.
That same year, Ohio University's CIO William Sams resigned from his job and two top IT managers were sacked following a series of data breaches.
Jacob's fate was even more likely given the scope and the nature of the Target compromise.
The breach, which is still under investigation, is sure to cost Target hundreds of millions of dollars in remediation costs, lawsuits, fines and legal fees.
Even so, the development is unfortunate, said Gartner analyst Avivah Litan.
"You almost have to be a superhuman with 25 hours a day to spend on security issues to be an effective large retailer CIO these days. And that simply doesn't exist," Litan said.
It is also surprising that the company that assessed Target's compliance with the Payment Card Industry Data Security Standard is not taking some responsibility, she said. Target suffered the breach despite being certified as being PCI compliant.
Sign up for Computerworld eNewsletters.