Breaches a strain on company tech execs

NEW YORK - With hackers putting top technology executives under severe pressure, the sudden departure of Target’s chief information officer in the wake of the company’s pre-Christmas data breach has only ratcheted up the stress.

Years ago, the job of a chief information officer focused mainly on the upkeep of a company’s computer systems. In their largely behind-the-scenes roles, most decisions by information officers centered on the kinds of technological innovations a company would adopt, when and how much to pay for system upgrades and the creation and maintenance of company websites.

But the rise of computer crime in recent years changed the job description.

At the same time, the surging use of personal smartphones and tablets in business settings is giving the executives even more technology to manage, along with countless new points of entry for hackers to breach company systems.

As a result, information officers have their hands full and are finding themselves in a much more high-profile role than ever before.

Target Corp.’s breach sent shockwaves through the profession. And information executives from companies in all walks of business - from retail to banking and drug discovery - are using the breach as a rallying point to call attention to their work in order to garner additional funds and manpower to fight digital threats.

Cyberattacks were on the rise long before Target’s news that hackers had stolen 40 million debit and credit-card numbers, along with the personal information of as many as 70 million people. A 2013 Hewlett-Packard Co.-sponsored study by the Ponemon Institute found that the average annual cost of cybercrime incurred by a benchmark sample of U.S. organizations was $11.6 million per organization, a 26 percent increase from the previous year.

For a host of companies, the Target breach was a pivotal event that permanently altered the way they approach data security. Many information officers say they’re receiving more support, but they say the trade-off is that they’re facing increased scrutiny from their CEOs and other executives. If their fortress walls fall to hackers, their jobs will be on the line.

Ken Grady, chief information officer of life-sciences company New England Bio-Labs Inc., said the increased attention to data security has been a good thing for him. It has prompted much needed support from colleagues. But that backing comes at a cost.

“If I have a breach in spite of all that, I need to be able to say that we did everything we could to prevent it,” Grady said. “If I can’t do that, then it would have a negative effect on me.”

Analysts believe the Target data theft couldn’t have had a positive effect on Beth Jacob, who had served as the company’s information executive since 2008. Target said Wednesday that Jacob’s resignation was her decision, but analysts say Jacob took the fall from a slew of bad publicity for the Minneapolis-based company.

Target is in the midst of overhauling its information and compliance division and plans to look outside the company for a chief information security officer and a chief compliance officer, two newly created positions. Before the overhaul, information security functions were split among a variety of executives.

Tim Scannell, director of strategic content for the CIO Executive Council, a professional trade group, said companies have come to realize the importance of security. The result: boosted budgets and staffing increases. According to a recent council survey, computer-security professionals say they expect an average increase of 8 percent in their budgets this year.

“I think CIOs are getting more respect,” Scannell said. “They’re winning a seat at the table. But along with that, we have a heightened security risk, so they’re under pressure to do something about it.”

Scannell noted that even if a company isn’t a retailer that deals directly with consumers, most now have some kind of e-commerce operations, which makes them a potential target for an attack.

Meanwhile, the number of potential ways to breach any given computer system has soared in recent years with the rise of smartphones and tablets, which along with home computers are used to remotely access company systems.

The new era of cybersecurity was a hot topic at the recent RSA tech security conference in San Francisco. Daniel Ives, an analyst for FBR Capital Markets, said many of the data-security professionals in attendance said they are increasing security spending in light of recent high-profile data breaches. He predicts that data-security spending could rise as much as 15 percent this year, nearly double 2013’s growth rate of 8 percent.

He estimates that businesses around the world will spend $30 billion to $40 billion this year on cybersecurity.

Ives said that while retailers, financial and health-care companies have the most to lose in the event of a cyberattack, any company that so much as uses mobile phones or puts customer data on their networks is also at risk.

“Getting on the cover of The Wall Street Journal in some cyberattack is a [chief information officer’s] worst nightmare,” he said. “They’re the bodyguard and the linchpins of the companies they work for more today than ever before, because of the amount of data that’s out there.”

Gerry McCartney added that in addition to malicious threats from hackers, information executives also have to deal with accidental breaches that, for example, can occur when a well-meaning employee loses a thumb drive full of data. Meanwhile, as the leader he’s also responsible for policing thousands of mobile devices and about 70,000 email accounts that are constantly under assault from phishing attempts.

Ed Brandman, chief information officer for the private equity firm KKR & Co., said his company focuses on advising its portfolio companies, which range from payments processor First Data Corp. to retailer Academy Sports, on the best practices for protecting data.

He said a major task information officers face is balancing data-security spending with the perceived potential for an attack, noting that executives also have to decide how much to spend on other technology-related investments such as computer upgrades and mobile devices.

It’s for that reason that Grady said New England Bio-Labs paid particular attention to how Target and Neiman Marcus, which also recently reported a data breach, handled their situations in terms of costs and transparency.

He said the fact that the breaches happened to those two companies shows that they can happen to anyone. The important thing is to know how to respond if the worst does occur.

“What we don’t want is to be unprepared and not have a plan, heaven forbid we have such an issue,” Grady said.

Business, Pages 19 on 03/10/2014

Upcoming Events