NOTE: This article first appeared on LinkedIn.
Target has to be the most cyber security blind company of those that have recently been hacked.
In a move that can only be written in pulp mysteries, Target hired Jacqueline Hourigan Rice to be chief risk and compliance officer. Prior to being hired by Target, Rice held the same position at General Motors. Yes, the same GM that has been in the news for not being in compliance with automotive safety standards that has led to massive recalls and lawsuits with potentially large damage claims.
The job of risk and compliance is self-explanatory. Not only are the risk professionals assess the risk and the potential costs to the company but also how to keep the company in compliance with rules, policies, and laws. If the actions of GM, where Rice worked for 17 years, can be used as a barometer, Target has not learned anything from this incident.
It is apparent that Target and nearly every company have not learned the lessons from their predecessors in managing the risks of the connected world. There is little to no imagination to their application of security. They find a checklist and run everything against the checklist. In this case, the checklist is provided by the Payment Card Industry who has done a barely adequate job defining data security.
Target needs more than a corporate retread from a company that failed in risk and compliance to help them mitigate risks and improve compliance. Target needs a real professional without significant baggage who understands one thing Rice has not: just because it has not happened in the past or just because you have not been caught does not mean it is the right thing to do.
Until Target and other merchants learn from these mistakes, my shopping dollars will be spent with other enterprises.