Given what we have discussed about which are the critical “itilities” that underlie the overall agility of Target’s IT infrastructure, can you tell me which of the author’s recommendations (see p. 18-24 in the article) are realistic for a company like Target?
In order to help you out, let me present one example of a very useful and realistic recommendation, along with one that is not:
“Software is inventoried and white listed on POS machines”
This recommendation for whitelisting (as described in more detail on page 21) is quite realistic – moreover by restricting the number and types of applications that are allowed to be run on the Point-of-Sale hardware (i.e. the cash registers in the store) this would only increase the reliability and performance of these devices as well.
On the opposite end of the spectrum we have:
“Separation of duties would have prevented insiders from having end-to-end system knowledge or access.”
For an organization that needs to have an IT infrastructure that “supports change” as much as Target does (this is the textbook definition of agility), it is hard to imagine a worse recommendation than to diminish the degree to which insiders at Target have end-to-end knowledge of business and IT processes.