Marks & Spencer chief digital and technology officer Rachel Higham is to leave the retailer, in the wake of a ransomware attack on its core systems from which it is still recovering.
Higham, who had been in post for less than two years, will be replaced by current retail director Sacha Berendji, according to M&S, which said Higham plans to take a career break.
In an internal memo obtained by specialist retail magazine The Grocer, M&S chief exec Stuart Machin said that having steered the team through “a challenging six months” Higham herself had taken the decision to step back.
“Rachel has been a valued part of the leadership team since joining, building a strengthened digital and technology function, playing a key role over recent months, and laying foundations for the future,” Machin wrote.
“Rachel has been a steady hand and calm head at an extraordinary time for the business, and we wish her well for the future.”
The Scattered Spider attack on M&S crippled the retailers’ systems at Easter after IT teams were forced to take emergency action and pull systems offline.
The high street stalwart was forced to contend with gaps on shelves due to problems with its stock systems, and the suspension of various online services such as click-and-collect. Similar attacks befell Co-op and Harrods at the same time, although these are not thought to have been as severe in their impact.
In M&S’ case, although most of the disrupted services are now back up and running, the financial impact will be long lasting, with the retailer previously saying it expects to be out-of-pocket to the tune of at least £300m.
Traumatic experience
Managing incident response in the wake of a high-profile cyber attack is an intense and difficult job, and IT and security leaders on the frontlines frequently find themselves having to shoulder a certain amount of blame, although there is no indication that Higham and M&S have parted ways amid any negative sentiment.
Nevertheless the psychological impact of experiencing such an incident – particularly when a gang such as Scattered Spider, which has on occasion been known to resort to violent threats against its targets – is not to be underestimated.
Indeed, burnout has become a perennial problem among CISOs and security pros, not helped by the widening scope of both the threat landscape, and the responsibilities linked to the role.
Writing in Computer Weekly in July, Tim Grieveson, CSO at ThingsRecon, said: “The CISO and security leader role has been stretched as they become accountable and responsible for more assets, processes and capabilities critical for business operations.
“The more critical cyber security becomes to business continuity, customer trust, and regulatory compliance, the more the CISO role is being morphed beyond recognition, and we’re approaching breaking point,” he said.
Describing the impact of the M&S cyber attack before a parliamentary committee in July, the retailer’s chairman Archie Norman said: “It’s fair to say that everybody at M&S experienced it.
“Our ordinary shop colleagues [were] working in ways they hadn’t worked for 30 years, working extra hours just to try to keep the show on the road. Let aside our tech colleagues, for a week, probably, the cyber team had no sleep.
“It’s not an overstatement to describe it as traumatic,” said Norman.
Computer Weekly contacted M&S seeking further comment but the organisation had not responded at press time.
