

Target CIO resigns amid breach investigations - at-fates-hands
http://www.startribune.com/business/248578631.html

======
new_corp_dev
I have worked at the Walmart home office, and if Target's corporate culture is
remotely like Walmart's I can tell you their former CIO likely knew half as
much about Target's security practices as any of us do.

Walmart has zero career paths for technical expertise. There are low-level
technical positions (rarely entry-level) and they peak at "Technical Expert",
and to get past that you have to switch to pure people management.

The IT division, internally called ISD, is so completely inept that the
majority of the company still runs on Windows XP despite the fact that support
will expire in about a month. They had a Windows 7 team at one point, but that
team was dissolved and the rollout "suspended indefinitely".

ISD is so universally recognized as terrible that they were actually the only
reason I had a job there. Individual departments and divisions have been
forming their own "IT Teams" for years, because it's a hell of a lot cheaper
to pay somebody $70,000/year to create a half a dozen new applications yearly
than it is to pay ISD $2.8 million to do _one_ of those applications _poorly_
over the course of _two_ years. And then completely dissolve the development
team responsible and offer little to no ongoing support for the application.

Despite those exorbitant costs ISD is hemorrhaging money just trying
desperately to keep the lights on, mostly because they're still running
decades-old legacy applications and hardware. They only recently started
drawing up plans to start sunsetting some of the hundreds of legacy systems
over the course of the next decade or so.

This is really just scratching the surface of how terrible retail IT can be,
and how little they value real technical expertise. Given what I've seen I
wasn't so much surprised that the Target et al breach happened, only that it
didn't also include Walmart or happen much sooner.

~~~
nemothekid
Huh, I thought Walmart would be better as the Walmart Labs team seems fairly
confident. IS Walmart labs different from Walmart IT?

~~~
new_corp_dev
Walmart Labs and Walmart.com are completely separate from corporate IT, mostly
because it's the only way they can operate.

I have a good deal of confidence in Walmart Labs' technical abilities, but
they do not have responsibility for the majority of the IT areas that pain the
company as a whole.

------
brudgers
_' Target CEO Gregg Steinhafel described the search for an interim CIO as a
“first step.”'_

Well actually the first step was scapegoating the CIO rather than those
responsible for putting someone without an IT background in the position. This
was the failure of institutional culture, not an individual who accepted an
offered promotion to a level but not a position for which they were qualified.

Target's hiring of a consultant specializing in risk management and regulatory
compliance says it all. The culture hasn't changed and Target's board still
doesn't see technological expertise as a core skill.

~~~
chaostheory
"Jacob, who holds an M.B.A. from the University of Minnesota, first joined the
company in 1984 as a department store assistant buyer when it was known as
Dayton’s, then left and returned in 2002 to Target as director of guest
contact centers. She was promoted to CIO and executive vice president of
Target Technology Services in 2008, and reported to Steinhafel."

Yes, whoever promoted Jacob to CIO should also resign.

~~~
brudgers
To me, it looks like a corporate culture where CIO was just another position
and happened to be the one that was open when it was her turn to be promoted.
It's the sort of decision of which the board and senior management would all
be aware.

~~~
at-fates-hands
I've been told Target is a total shark tank. If you come in and show potential
(whatever your background is) they go to great lengths to push you up the
hierarchy and get you promoted. Those managers who don't have "The drive" as
they call it, are effectively culled from the herd and never promoted and
languish in middle management until they either move on or let go.

Judging by her youthful looks, I'd say she was clearly on one of these "fast
tracks" and landed in the CIO position exactly as you pointed out.

~~~
nobleach
I worked at Target while in college. The people that were brought in as
managers (execs) were not people I had ever met. They'd show up one day from
some internship program, and bam 6 months later, they'd be in charge of
everything. That said, the people typically were top notch... so I couldn't
complain about their management abilities. We'd always say, "they showed up
already promoted". It was college life for me though, so I had no illusions of
ever wanting to be more than a minimum wage salesfloor guy for a couple of
years. 15 years later, and I still have dreams that I still somehow am
employed there, and I just happen to check the schedule... and CRAP, I have a
shift this week!

------
daphneokeefe
It says in the linked article "The primary responsibility for information
protection ultimately falls on the Target Information Protection team, a group
separate from Target Technology Services that reports up through Bjerke to
Target Financial Services, an arm of the company that handles credit and
noncorporate financial operations, the person said." So the woman who is the
scapegoat wasn't even responsible for data security?

------
rdl
I actually think the Target CISO (or CIO maybe) job would be awesome. Target
as a company overall is great; they might not be up to standard on IT/IT
Security, but now that the board sees how IT and IT security can affect their
bottom line (or indeed existence), whoever takes the role should be able to do
amazing things. Plus, it's high visibility when you succeed.

~~~
redbeard0x0a
> Plus, it's high visibility when you succeed.

Actually, no. That is one of the biggest problems with properly functioning IT
systems, they become invisible - nobody notices until something screws up...

~~~
chaz
I think that's true at smaller organizations where the head of IT isn't on the
exec team. But at large companies, the head of IT is a pretty serious role
(Jacob was CIO/EVP), with a very large budget, mission-critical systems, and a
big team. Someone who successfully runs IT at a company like Target can pretty
much get hired into a similar role at any other Fortune 500 company.

------
alayne
Does Target still run on mainframes?

~~~
ja27
I don't know about Target because they were one of the few major retailers we
never sold to, but most of the rest run at least parts of their business on
IBM mainframes. It was very common for us to work on integration projects
between Windows or AIX boxes at stores and data centers and the mainframe(s).
I would never claim that mainframes are fuckup-proof, but they generally are
much better protected than the Windows / AIX boxes. It wasn't uncommon for us
to be able to get any of a half-dozen IT guys with sudo / root to quickly make
any change we needed on an AIX box, but then to make a change on a mainframe
we'd have to set up a meeting with multiple people and discuss the changes. We
fought one losing battle over extending a record format: "We haven't even
recompiled that code in 7 years."

