What Target's Steinhafel did wrong, and didn't

After the departure of Target CEO Gregg Steinhafel, observers were raising questions about accountability at the highest levels of corporate governance. They pointed to a pair of stumbles in Target's recent performance: the troubled roll-out of its presence in Canada and the disastrous breach of data security that compromised thousands of customers' credit information.

The Daily Circuit spoke with guests from different disciplines about the sudden news out of Target. Highlights from that conversation:

How badly did Target handle its security breach?
"I would give them a fairly poor grade on a variety of scores. I think they did several things incorrectly. The fundamental issue that they faced with the data breach was the concern amongst customers that some important financial information had been lost, and so the trust associated with the brand had been tarnished. The way to remedy that is to put your economic interests at risk. ... And Target, unfortunately, made a couple of tactical and strategic errors when the issue first surfaced.

"Their first reaction — and this is a typical managerial reaction — was to offer a price discount. And to tell customers, 'Come and shop and get 10 percent off, just like our employees.' Bear in mind that the people who had already shopped and were concerned ... were not the people being spoken to. It was the people who had yet to shop. So they were speaking to the wrong segment. They were essentially saying, 'We'll pay you a little to come shop with us, and don't worry about this other elephant in the room.' ...

"Target should have come out of the gate and expressed outrage that they had been violated; pointed out that it is not just Target that is the likely victim of this outrage, but the entire retail sector ... [and] we're going to get together and address this issue. As opposed to saying, 'We're sorry. We're saddened.'" (Akshay Rao)

Is it fair to blame Target for the data crisis?
"The amount of work necessary to secure our current amount of technology is staggering. ... Even a simple business application in a typical organization is going to be hundreds of thousands or millions of lines of software code. And anywhere in there could be the bug that becomes the next Heartbleed or Target. ...

"We've got a huge amount of software and technology that was built over the last 10 to 20 years, and it's not up to the job of preventing modern cyberattacks. In a lot of ways, it's like other big-scale crises that we face — things like global warming and our bridges failing and things like that. It's very difficult to get your head around how we get in front of this. ...

"Most companies do the security two-step: They're going to say, 'Hey, this was a sophisticated cyberattack, meaning it's very complex and scary, and our systems are up to date. We're doing all the things that are required of us by regulations, and so on.' ... They're trying to claim that being hacked, so long as it's a sophisticated attack, it's O.K. But in almost all the cases, when you dig into these attacks, they turn out not to be very sophisticated." (Jeff Williams)

What went wrong in the Canada incursion?
"Canadians shop differently from Americans. It's a little bit more like Europe. There's a little bit more tendency to select the specific store that suits the specific item that you're going to buy, whether it's a food item or a clothing or recreational item. They are not as far down the path as Americans are of doing one-stop shopping, and who's to say they ever will be? ...

"As I recall, Target went pretty big into Canada all at once, something on the order of 120 stores. And I think it might have made sense to start with a smaller set of stores and learn from those interactions. That's one of the ways you can address the liabilities of entering a country you don't know very well." (Dan Forbes)