In the last 30 years, the risk landscape has transformed significantly for retailers. Think back to the early 1980s, there was no internet then. Every retailer had only on-site equipment, some of which would be in their own data centers or in a rack in a small room in their office buildings.
There were no electronic connections between retailers and suppliers/partners. Cybersecurity risks were non-existent, and the primary risks that retailers faced were physical in nature, like theft of computer equipment or fraud-related risks like stealing money or stock. The idea that a hacker, living in a country like Romania, could pose a risk to a retailer thousands of miles away was a laughable idea.
Fast forward to today. Many retailers operate primarily online with an ever-decreasing physical presence, and most business operations are digitized. We are also seeing retailers increasingly using hosted services where they do not buy physical equipment.
In this new world, there is much less concern about the theft of physical equipment as there is about the theft of valuable information. Digitization in the retail industry has created a different risk environment. The old risk management rules do not apply easily in this new environment. As retailers shift online, the risks they face change. Securing online platforms is a different proposition from securing physical POS and warehouse management systems.
So, what keeps retailers up at night? It's the same type of headline that impacted Target a few years ago: "40 million credit cards compromised" headlined a CNN news story. It's the prospect of a massive breach that is keeping retailers up at night.
Loss of trust among customers, the financial hit of a stock price plummeting and having to invest in costly security controls and talent (which run the danger of forming a kneejerk response, rather than being commensurate with the true underlying risk profile of the organization) are some of the costs that retailers will face if they get breached.
To understand how best to keep these nightmares at bay, it’s important to be aware of conditions or challenges that introduce risk. Here are three of the new challenges:
- Companies are becoming interconnected in ways never foreseen before the cloud came to be. This interconnectedness creates vulnerabilities and increases risks.
- The shift to the cloud has changed the risk landscape and increased the ways in which a retailer could be attacked or compromised.
- Data collecting has increased exponentially. As data volume has increased, so has its value, making it extremely valuable to dubious characters. This makes data storage riskier.
This changing landscape has created serious cybersecurity risks for retailers. The security strategy that worked for them before isn't going to work now. They need to be able to evolve to meet new emerging threats. What can retailers do to prepare for these changes?
Retailers need to understand that cybersecurity is no longer about technical controls, it is about risk management. The decisions that need to be made about cybersecurity can often impact the entire business. This is why the board and Executive Committee are increasingly working with cybersecurity leaders.
One of the ways they are engaging is by asking better cybersecurity risk questions like ‘How do we ensure that we are ahead of the new regulatory requirements?’ or ‘Are we focused on, and investing in, the right cybersecurity things?’ and if so, ‘How do we evaluate and measure the results of our decisions?’.
By asking the right questions, and responding to the answers in a way that applies sound business decision-making to a true understanding of risk exposure, senior leaders can run their organisations in the knowledge that they’re taking the right steps to stay on top of cybersecurity risk.
Another way is by assessing their cybersecurity maturity level. Maturity models provide a measurement of the cybersecurity posture of the company and enables the organization to periodically assess how they are progressing with cybersecurity. This is an excellent indicator if the cybersecurity of the company is moving in the right or wrong direction.
Gartner summed it up best: "To avoid exclusively focusing on issues related to IT-decision making, create simple, practical and pragmatic risk appetite statements that are linked to business goals and relevant to board-level decisions. This leaves no room for business leaders to be confused as to why security leaders were even present at strategic meetings."
An important initial step for any retailer is to take a hard look at their current employee base. Retailers need new talent that understands the new risk landscape and that can translate risk appetite into clear actions that will protect the organization whilst delivering on business goals.
They need to invest in an experienced CISO that can prepare the retailer for challenges, who has a reporting line into the board or a very senior exec like the CEO, COO or CFO. In some cases, especially for pure technology companies, the CISO can report to the CIO or CTO, but this can be a bad idea. It's usually best to separate the reporting line for the CISO from the IT department head.
Investment in technical security solutions will only ever take you so far. Retailers that fail to understand the importance of recruiting staff that truly understand risk do so at their own peril. This is why it is important to invest in an experienced CISO that can translate new digital risks into pragmatic action and hire the right cybersecurity talent to meet today’s challenges.
Taking this first step – perhaps more than any other – will go a long way in making sure that news headlines don’t become the stuff of nightmares.