Time to Go on the Offensive Against Cyber Threats
This article was published in the 2015 edition of STORES Magazine’s Show Dailies.
Just a year ago, the main questions around cybersecurity had to do with the safety of credit card information. Today, the conversation also includes protecting personally identifiable information, intellectual property and the like. And with the recent breach at Sony Pictures as a prime example, there must be more focus on “when” rather than “if.”
The Monday morning session at Retail’s BIG Show, “Cyber Threats: Developing Components of an Effective Cybersecurity Risk Management Program,” considered the possibility of going on the offensive with security rather than constantly playing defense. That means opening up ongoing dialogue with the company board, especially about what level of risk is “acceptable”; devaluing data and assets through tactics like tokenization and encryption; remembering that risks are dynamic and not static; and hiring skilled, smart, well-trained people.
Cy Fenton, SVP and CIO of Books-A-Million, moderated the panel, which included Mark Weatherford, principal of The Chertoff Group; Paul Kleinschnitz, SVP and general manager of cybersecurity solutions with First Data Corporation; and Erin Nealy Cox, executive managing director at Stroz Friedberg.
Now more than ever, Kleinschnitz noted, companies must “hone in on what the crown jewels are.” For Sony, he said, those jewels were quite different than what they would be for retailers.
“But the reality is, you’re not going to prevent a breach,” he said. “The word ‘breach’ has become too big. It simply means someone got into your environment.” The impact is when someone takes something out of that environment. That’s why he advocates devaluing the data so it won’t be of use, even if taken.
The challenge is that two-thirds of all companies that have experienced a data breach become aware of it only when notified by someone else — and criminals are inside a system for an average of 229 days before they’re detected.
“It really only takes one day to do damage,” said Weatherford, whose company provides risk management and cybersecurity breach response among other services, so an average of approximately eight months before detection “is pretty profound.”
Cox, whose company works globally in investigations, intelligence and risk management, said boards and executives may want to hear that their organization is protected, and that everything is in the clear. But that puts information security officers in an awkward position. The better option is to work with the board to understand that there is always risk, to discuss what part of that risk can be mitigated and to agree on what level of risk is acceptable.
“Boards are very comfortable talking about financial risk,” she said. “We have to move boards and c-level executives to the same level when talking about security risk. We have to be talking about it constantly. … I would want security to be an item on every agenda.”
The more educated the board, Kleinschnitz agreed, the more empowered security officers will be. “Be transparent about what you are and aren’t doing,” he said, “and they’ll find the funds.”
Weatherford also noted the importance of having a playbook in place, “something that says if you have an event, you know who to call and what to do. … And I tell people this all the time: ‘If you don’t take your local FBI guy to lunch every six months, you are missing a huge opportunity.’” In the midst of a breach is not the time to start establishing a plan or making connections.
The Sony breach highlighted the fact that breaches can now come from anywhere — and that cyber criminals are skilled, smart and organized. Retailers must be the same.