Companies in every sector today are “always on” with links throughout the supply chain. Always on connectivity means that businesses are also always vulnerable to cyberattacks. This is why all type of businesses, especial those in the retail ecosystem, need to establish the role of Chief Information Security Officer (CISO) — and why the role must be part of the C-Suite. This role must integrate with all aspects of the business, from product development, to marketing and the sales floor — whether that’s in a physical store or on a web site. A retailer’s website is the sales floor of the digital environment and potential vulnerabilities are everywhere.
How does one monitor the entrances and exits, detect unwanted visitors and respond to critical threat incidents? Theft is no longer just about merchandise, but about stealing company data and personal information from employees and customers which is of greater value to cyber criminals that physical merchandise. It is about the things we cannot see but require access to know. And the stakes are higher in any business if a bad actor suddenly gains unwanted access: loss of billions of dollars, elevated risk of stolen identity data, national infrastructure vulnerabilities. The risk and consequences to the business from a cyberattack are shared across the organization; so too, should ownership of managing this risk.
In the retail sector, an online presence is a major, and sometimes the only, conduit for service delivery, so the role of the CISO in building trust in the retailer’s community is of great value to the business - and this trust is a shared interest of the entire landscape of retail, providing consumers the confidence that they are conducting business safely online. The CISO is the key individual in an organization tasked with understanding the risks to business operations and is positioned to align security investments, resources and protection strategies with an organization’s mission, while addressing compliance issues for each industry sector. These strategies not only protect the systems, but the data contained within them — how it’s stored and how it moves throughout the enterprise and in some cases is shared with partners.
Each company’s risk tolerance is different, as is each company’s crown jewels, depending upon its type of businesses and organizational goals. This is why it is critical to have a CISO at the leadership table: to understand the business and risks to business operations, and to be a part of the conversation of any business strategy from the beginning.
CISO’s also need to regularly engage with their peers in much the same way asset protection executives at competing retailers often work together against a common enemy. That’s the main reason why the Retail Cyber Intelligence Sharing Center (R-CISC) was created four years ago. The R-CISC functions as platform where CISO’s and other top executives faced with the enormous responsibility of safeguarding their organization’s data work together on cyber issues that matter most in building confidence for conducting commerce online. Cyber threat intelligence can be used to further the alignment of security resources and investment strategies by identifying and mapping known threats to vulnerabilities, key systems or processes that are priorities for the business. Our members share intelligence about threats in a secure forum in order to better strengthen their companies and help to secure the entire sector.
For example, a recent R-CISC study of top threats and concerns identified phishing, credential compromise and account take over (ATO) as the top challenges. Accordingly, investment and security strategies for common threat vectors utilized by these threats are a priority. By sharing best practices on how to mitigate these risks, R-CISC members become stronger individually and strengthen the industry as a whole.
The retail industry is changing at an unprecedented rate with disruptive technologies presenting both opportunities and challenges. Retailers with CISOs involved with business discussions are better able to keep pace with and stay ahead of the security challenges in their environment. Membership in the R-CISC is a great step toward meeting these challenges because members of all sizes have the ability to share cyber intelligence on incidents, threats, vulnerabilities and associated threat remediation. It’s why more than 250 CISO’s and their peers will gather in Denver October 2-3 for the R-CISC Retail Cyber Intelligence Summit. Interest in this event has gain momentum every year for one very important reason. Participants understand they are stronger together in an environment where cyber threats increase daily and become increasingly sophisticated. RL
Suzie Squier is Executive Director of the Retail Cyber Intelligence Sharing Center (R-CISC), home of the Retail ISAC. She has been connected to the R-CISC since its inception, leading the effort to build the organization in 2014.