Marks & Spencer’s chief digital and technology officer Rachel Higham has left the retailer following a ransomware attack on its key systems, from which it is still recovering.
Higham, who had been in the role for less than two years, will be replaced by current retail director Sacha Berendji, according to M&S, which said Higham was planning to take a career break.
In an internal memo obtained by specialist retail magazine Grocer M&S chief executive Stuart Machin said that after a “challenging six months” leading the team, Higham had made the decision to step down.
“Rachel has been a valued part of the leadership team since joining, strengthening the digital and technology function, taking on a key role in recent months and laying the foundations for the future,” Machin wrote.
“Russell has been a steady hand and calm head during an extraordinary time for the business, and we wish her well for the future.”
A widespread spider attack at M&S crippled the retailer’s systems over Easter after teams were forced to take emergency action and pull systems offline.
The high street stalwart was forced to deal with gaps in its shelves due to problems with its stocking system and the suspension of various online services such as click and collect. Similar attacks simultaneously befell the Co-op and Harrods, although they are not thought to have had as severe an impact.
In the case of M&S, although most of the disrupted services are now back up and running, the financial impact will be long-lasting, with the retailer previously saying it expects to be out of pocket for at least £300m.
Traumatic experience
Managing the incident response following a high-profile cyberattack is intense and difficult work, and IT and security managers on the front lines often end up shouldering some of the blame, although there’s no indication that Higham and M&S parted ways without a negative opinion.
Nevertheless, the psychological impact of experiencing such an incident cannot be underestimated – especially when it involves a gang like the Dispersed Spider, which is sometimes known to use violent threats against its targets.
Indeed, burnout has become a perennial problem among CISOs and security professionals, and has not been helped by both the expansion of the threat landscape and the expansion of responsibilities associated with the role.
Writing in Computer Weekly in July, Tim Grieveson, CSO at ThingsRecon said: “The role of the CISO and security leader has been established as they become responsible and accountable for more assets, processes and capabilities that are critical to the business.
“And the more critical cybersecurity becomes to business continuity, customer trust and regulatory compliance, the more the CISO role is being devalued beyond recognition, and we are approaching a tipping point,” he said.
Describing the impact of the M&S cyberattack to a parliamentary committee in July, the retailer’s chairman, Archie Norman, said: “It’s fair to say that all of M&S has experienced this.
“Our regular store colleagues [were] working in a way they hadn’t worked in 30 years, working extra hours just to try to keep the show on the road. For a week, probably not counting our tech colleagues, maybe the cyber team didn’t get any sleep.”
“It’s not an exaggeration to describe it as traumatic,” Norman said.
Computer Weekly contacted M&S seeking further comment, but the organization had not responded by press time.
