Session 3-Target

Case Summary and Key Lesson:Cybersecurity is a key topic in boardrooms today. The high-profile press exposure of this breach also provides insights to all enterprises where the security of data is a critical issue requiring mitigation strategies and continued vigilance. The key lesson of this case is understanding that information security is NOT the exclusive domain of the IT organization and that employees, executives, and Boards play an important role regarding:

• the identification and preventionof such threats as well as
• minimizing the losseswhen such attacks occur.

Case Readings:

Additional readings on Canvas (C); "NACD Board's role in cybersecurity" (C);Target Risk and Compliance Committee Charter (C), McKinsey article on "Protecting your critical Digital Assets..." (C)

Case-Specific Questions:

1. Who should have been fired and why?
2. While some consider Target's breach was unlucky being "in the wrong place at the wrong time" from a historical perspective, they were also lax in their approach to protecting customer information. Answer the following:
3. Prevention of the breach - Using facts from the case and accompanying articles, what key People, Processes, and Technology issues (you will need to be selective here...) contributed to creating the vulnerability that led to the data breach?
4. Response to the breach - What did it take so long to get the complete and accurate story and resolutionout to Target's customers, BOD and shareholders?

1. A quote from one of the articles in your readings "Effective cybersecurity requires engagement from every level of an organization, from the board of directors on down to the mailroom"exemplifies a key lesson from this case.

The BOD's risk management role is an integral component of their fiduciary duty to the company. The CEO's role is "the buck stops here" regarding all company business operations and the CIO's role is to be the information systems leader. You are the new chairperson of Target's new Risk and Compliance (R&C) committee (Reports to BOD - see charter in accompanying BB reading). This committee's work NOW includes "information security" (see "Risk Oversight" section in its new charter [in Canvas]).

Given your understanding of what just happened and its fundamental causes, what key recommendations would you make to the new CEO and new CIO regarding information security? Please use a table to display your answers.