"I don't understand why the qualified PCI security assessor is totally off the hook in this case," Litan noted. "CIOs rightfully rely on [qualified security assessors] to certify PCI compliance," Litan said. "Sure the standard response is 'well things change between annual assessments'," she said. "Yes they do, but that's a big copout on the QSA's part if you ask me."
Jim Huguelet, an independent retail security consultant, expressed surprise at Jacob's timing. "She did not tender her resignation in the days or weeks immediately following the disclosure when the pressure was most acute," he noted. Jacob also didn't wait longer to put some distance between the event and her departure, he said.
"She does not appear to have a professional background in information technology, so perhaps she felt it was appropriate to allow someone with a deeper technical background to lead their IT organization through the coming months and years of the work ahead of them," Huguelet said.
The Target incident underscores the need for technology executives to keep CEOs and the entire board abreast of cybersecurity developments at all times, said Chris Pierson, chief security officer at Viewpost.
"We as an industry need to improve how we communicate that breaches are not 100% preventable and need the people, tech and processes to handle these sophisticated threats," he said. "This is a cyber, law, privacy, and risk issue that touches everyone and must be addressed holistically."
Sign up for Computerworld eNewsletters.