Public or Private? When it comes to what type of computer network should be implemented within a franchise retail chain, that is the question. Franchisees are challenging their chains to justify the costs, added complexity and reduced reliability of having a private network when there are other chains that operate without one. In today’s retail environment, having a basic, public Internet connection is not a good option. Good or bad, most of the business leaders and franchisees who I have worked with disagree, citing the time honored “but everyone else is doing it” argument.
IT security is truly a funny business. If you ask any business leader about the importance of having a top-notch IT security program, they will almost always tell you that it is paramount. Unless it is a large company that has regulatory requirements, when there is a conflict between a business need and a security concern, the security concerns more often than not are pushed aside or diminished. Such is often the case when determining if the chain should be leveraging a secure network (example: private frame or VPN connections) or going with a standard offering such as DSL, cable, satellite or a FIOS-like product.
Why is this such a challenge? Well, not only can you process credit card transactions over a public Internet connection, but the PCI standards say that that is OK as long as the system "uses strong cryptography and security protocols such as SSL/TLS or IPsec to safeguard sensitive cardholder data during transmission." (PCI 1.2 Requirement 4.1, to be precise.)
Most retail business leaders argue that PCI is an IT security policy. The folks in retail IT will tell you that it is not. Many retail CIOs who I have spoken with have talked about how they wish they could do “what is right” versus “the minimum to meet PCI."
In the franchisee retail IT world, if you are going to have franchisees spend more than what is required to meet the minimum standard, you had better be prepared to defend your position. Therein lies the problem: Although the list of benefits is long and significant, even the top IT professionals have a difficult time explaining to a non-technical person why having a private network is so important.
If you are looking for a surefire way to get a business leader's eyes to glaze over, try explaining private IP addresses, centralized firewall policy management, intrusion detection or vulnerability scanning. For double points, do it without a whiteboard or paper. Want triple points? Do it without even using your hands as a visual aid. (Good luck!)
Another problem is that IT security is such a nebulous term. After all, you could never mitigate all of the risks, at least not without putting yourself out of business. So who is best suited to determine what level of IT security is appropriate?Although in most cases it would be CIOs, or maybe even Chief Security Officers (CSOs), who would recommend appropriate standards, they are unlikely to be the ones who actually approve the standard. Approval of the security standards is typically done by the business leaders. (Line of business. Black Gold. Texas Tea.)
So when you are dealing with a franchise retail chain, you are likely dealing with hundreds or thousands of different business leaders (franchisees) who all have their opinion about the appropriate level of security and the associated costs. Because the value of different IT security approaches/frameworks is very difficult to quantify, it is very difficult to justify these expenses. What typically happens is that the CIO is forced to “trade down.” Consider this dialogue:
CIO: I recommend that we put a private frame network in every location to increase security and reliability.
Business Leader: That is too expensive.
CIO: OK, although we will definitely lose reliability, what if we went to a VPN-based approach?
Business Leader: Do you really need a private network to process credit card transactions?
CIO: Technically, no, but...
Business Leader: Well, then can’t you just put in a firewall?
CIO: We can, but we lose having a private network, and managing security policy on 1,000 different devices is difficult and time consuming.
Business Leader: You mean you can’t just install some software that will protect us?
CIO: We could install some application firewalls, but now you really leave yourself exposed to potential threats.
Business Leader: It’s settled. Each site will get a new installation of virus protection software. Great talk!
As with most things in IT, at the end of the day it comes down to the business leader making a decision about costs versus value. Unfortunately, in most cases, the true value of IT security will only be understood after an incident that impacts the business leaders occurs. The recent string of IT security breaches at large retailers should have had a greater impact on companies in the industry with the “If it happened to them, then it could happen to us" mentality. But, unfortunately, it did not and likely never will.
Instead, all of the emphasis is put on PCI and the deficiencies in the standards. I believe that this is mostly being done so that a CIO can say, “Hey, it’s not just me thinking this is the right thing to do, it is the standard/regulation/law.” Which takes away the debate.
What do you think? Love it or hate it, I’d love to gain some additional perspectives. Leave a comment, or E-mail me: Todd at [email protected].