Retail security issues move from CIO to the C-suite

NEW YORK—In a far corner of the Jacob K. Javits Convention Center, a smattering of attendees turned out for NRF's sole conference session on cyber security. A cyber crime occurs every 18 seconds, but few companies are developing proactive plans to deal with a security event before it happens.

Involving executives, including a company's board of directors, is imperative for retailers to mitigate the damage from a breach.

"CIOs have always been interested in the issues but now you're seeing CEOs, CFOs, CISOs, and [people] at the board level wondering what questions they should be asking and how to protect shareholder value," said digital forensics specialist Erin Nealy Cox, executive managing director of Stroz Friedberg. "They want to tell their boards they're doing everything they can and can't do more. But they can't make their company invincible. The threat is evolving and you have to be realistic about it."

"The reality is you're not going to protect yourself from a breach, you're going to be breached," said Paul Kleinschnitz, senior VP and general manager, cyber security solutions, First Data Corp. The goal, say the experts, is to manage the response to a breach, something that still isn't happening as frequently as it should given the number of high profile data breaches that occurred in 2014 alone.

"There has been a paradigm shift within the security industry. We're incident responders, but we have to stop waiting" said Cox. "Companies are just waiting to be victimized, [roughly] 70 percent of companies are not finding out about their breaches on their own, they're being told."

"In most of the cases I've worked on, the attackers have been in their system for months," she said.
CIOs must involve their CEOs and boards to develop a plan. Quarterly or bi-annual meetings will help to mitigate the chaos and damage that inevitably follows a cyber-security incident.

"Have a plan. The worst time to try to figure this out is in the middle of an event," said Mark Weatherford, cyber security expert and principal at The Chertoff Group. "If you don't take your local FBI guy to lunch every couple of months you're missing an opportunity. We're not even talking about the technology, but administrative oversight."  

Managing the sheer number of tasks means involving departments outside of IT and leveraging outside resources. Information sharing is key, as are partnerships with outside entities, said Books-a-Million Senior VP and CIO, Cy Fenton. Books-a-Million has roughly 25 million network events to look at each day.
And it's not just large companies that are at risk. Small chains and independent retailers are also vulnerable and are less likely to survive a breach. Roughly 25 percent of these types of businesses close following a security event, Fenton said.

There's a lot at stake for retailers and waiting for the day when payment systems are impenetrable isn't a blueprint. Have a plan, be more diligent. If your organization is more secure than your peers', criminals will go elsewhere. Said Kleinschnitz, "When being chased by a bear, don't be the last guy."

Related stories:
Walmart banks on mobile payments, chip-and-PIN
Sam's Club first to launch chip-and-PIN card
Target accelerating $100 million chip and PIN adoption, finds just 25 registers at fault in breach
Target names DeRodes CIO, adds MasterCard chip-and-PIN
Will PF Chang's data breach speed EMV?