Target has made yet another misstep in its recovery from a massive data breach with the recent resignation of Chief Information Officer Beth Jacob.

The company’s CEO Gregg Steinhafel said to help rebuild its information security and compliance divisions.

Unfortunately, this is another example of a company with the mistaken belief that Information Technology is the same as Information Security.

“Equating IT and InfoSec is like equating your internal medicine doctor with your cardiologist,” said Deena Coffman, chief executive officer of . “They may both deal with pathophysiology, but the disciplines are distinctly different. Don’t blame your internal medicine doctor if you neglect your heart.  Just because security has a large technology component does not mean it rests solely upon IT.  Information Technology departments are tasked with finding applications that make the business faster, more productive, easier, etc.  These goals often have to be balanced against the security for optimization.  Asking one group to hold two different perspectives is neither practical nor fair to that organization.  Asking the IT department to critically evaluate the system they built is akin to never checking a mirror or asking anyone else, “How do I look?”

Target may have considered the responsibility held by the person who signed the contract that let the HVAC vendor access the network without security or data breach provisions. Or, they may have looked critically at the person who decided that the organization did not need a CISO.  But, to blame the CIO in this instance is misguided.”

Readers, what do you think? Are IT and InfoSec considered the same in your organization?

Leave a Reply