Part III: The View of Cyber Risk in the Retail Industry?

"The retail industry doesn’t like spending too much especially in #cybersecurity."

I heard someone said this a while ago and thought it was an interesting statement! I’ve noticed that most of the #CISO I have typically been working with spreads across financial services, critical infrastructure, legal, government and enterprises’ and fewer in the retail segment, although that seems to be changing quite rapidly in the last few months.

Retail executives have seemingly more "easily" allocate budget for marketing and advertising, and even physical #security. I just got back from my holidays in Japan and was amused at the number of cameras they had installed in an accessory store. Also, at a recent business event I attended, the speed of churning out marketing campaigns and investing in the customer experience was highlighted as a differentiator compared to the product. One renowned startup spent 70K alone on a short marketing video!

The #retail industry seems pretty switched-on in complying with #PCIDSS and protecting #CHD albeit this perspective should also apply to other aspects of #CyberRisk. With #CyberMonday deals and customers signing up on loyalty programs, protecting customer's data is also part of protecting their experience. Security shouldn't be an afterthought.

Are we still quite a way to go from cyber security being considered a natural investment in the retail sector? Thoughts?

I posted the above on LinkedIn 2 weeks ago and had quite a flurry of responses. Some of the comments that have come in highlighted that it is unfortunate that due to the nature of the industry, the margin is very thin. This is one of the reasons many have taken the baseline compliance approach.

Yet, another comment highlighted the importance of valuing personal data protection as it will go a long way in building consumer trust.

A 2018 report analysis done by VMware Carbon Black Threat Analysis Unit (TAU), showed the obvious, that retail organisations have seen a noticeable spike in attempted cyberattacks during the holiday season. TAU’s analysis across VMware Carbon Black’s global endpoint footprint revealed that global retail organizations encountered a 20% increase in attempted cyberattacks during the 2018 holiday shopping season, continuing a trend they’ve been tracking since 2016.

VMware Carbon Black conducted a recent survey measuring feedback from 20 leading CISOs from global retailers to determine how cyberattacks are evolving, how these CISOs view the threat landscape and what’s being done to stem the tide.

According to their survey, 40% of retail organizations said they’ve lost revenue as a result of a cyberattack in 2019. In the report's conclusion, the silver lining was in the statistics that more than half (53%) of surveyed retail organisations have declared that they are planning on increasing cybersecurity staff in 2020, and 40% to increase security budget by at least 10% in 2020.

I had a few of my thoughts after reading the report and some of my own questions:

• Although there are great pioneers in the retail industry that has made solid progress over the years and leading by example, there's still a big gap with the smaller to medium size retail companies. How are the bigger players helping them as an industry at the moment?
• In one of my coffee chats #coffeewiththeCSuite with the CISO of Coles Group in Australia, I was heartened to hear him echoing the same sentiments. Also, it was good to see his thought process and walk through how he makes his decisions applying the risk lens, while aligning and balancing it with the organisation's risk appetite. This has enabled him get the support he needs in prioritising certain cyber risk strategies.

• I recently met with the Head of Security of a multinational retail company who used to be lead counter-terrorism activities at a national level and he shared about the importance of staying current and relevant. Phishing methods have become increasingly sophisticated and emails harder to determine its authenticity. Attackers are also keeping track of the news including market acquisitions announcements, and one form of attack vector is by leveraging on current affairs, posing as the CEO in a very believable, carefully crafted and worded email coming from the CEO's personal account, to key accounts in an attempt to misdirect funds.
• A key factor to our cyber risk maturity really boils down to the human factor and our people resource. The current skills of our workforce, the level of awareness of our users, the culture and mindset, while at the same time, dealing with the persistence and stubbornness of user negligence. In a recent chat I had with a CISO of one of the major retail players also agreed that the cybersecurity skilled workforce has become very expensive in a short span of a couple of years. They are now in demand by every industry. How would the smaller players be able to afford growing their team and compete with the market at the same time? That being said, I do see an opportunity for them to get more creative, think laterally and in doing so, create an appetite for a new breed of cybersecurity talent pool that the bigger players might not have ventured into given that they've been hunting from the same pool all these years. (But that's a topic for another day, and perhaps another article.)

At the end of the day, if a #CyberRiskLeader is able to find the right alignment in showcasing that a level of good investment in the protection of our customers, our people, and brand, as well as investing in the capability, the know-how and preparedness to respond well in the event of any attacks/ breach, these are all leading contributors in building an effective and resilient culture, and also ensuring the sustainability and longevity of the business.

As always, I would love to hear your thoughts and sharing of best practices, ideas and experiences is greatly welcomed!

This is Part III of a Five-Part #CoffeewiththeCSuite Series:

Part I: A Lesson from the World's very First CISO

Part II: Coffee with a Former US President's CISO

Part IV: The CISO's Strategy

Part V: Fireside Chats with the Board

To read the entire collection of the CISO kit including global C-Suite insights and perspectives across industries, you can now get your very own Cyber Risk Leaders book in stores or the e-book on Amazon, Kindle or Google Playbooks.

About the Author

Shamane Tan is a published Author of Cyber Risk Leaders and the APAC Executive Security Advisor at Privasec, a leading and independent Security Consulting Firm. She has worked with exciting start-ups all the way to global organisations extensively in the Asia-Pacific region. Shamane advises the C-Suite and IT Executives on their business security posture to the reality of the challenges they faced from regulatory issues and cybercrime. She is also the founder of the Cyber Risk Meetup which is in four major cities in Australia, as well as Singapore. Her meetups offer Security Enthusiasts and Executives a unique platform to impart and exchange innovative insights.