“We’re going back to basics.” This was the message that helped kickstart a lively discussion at NCC Group’s recent retail round table event, and it came from a leading CISO of a European hospitality chain.
Many in the room agreed with the sentiment of the CISO’s statement. Other security leaders added further market context; they noted that security costs were rising, and budgets were under constant scrutiny, but they were still seeing threats grow and their competition and supply chain frequently fall victim to breaches.
A significant number of participants feared being the next high-profile headline after suffering a damaging breach. Furthermore, many felt that advancing and emerging security technologies, such as AI and Machine Learning, are not yet the silver bullet they promise to be. Much of their observed risk was still at a base or immature level, e.g. internal users or staff are not abiding by basic cyber hygiene and policies.
The attendees of our round table all held senior security roles in a mixture of UK/EU retail, leisure, and hospitality businesses, and all were mainly operating in a B2C marketplace. Many of their boards and leadership were currently putting them under pressure to justify the Return on Investment (ROI) of cyber security. They were grappling with quantifying their cyber risk versus the level of investment needed to keep their operations, customers, and businesses safe.
A CISO of one of the UK’s largest supermarkets shared their experiences with unlocking investment from their board, remarking,
“I plead with my board to see cyber in a different way. It’s not a competitive advantage or ROI generator. But it’s a huge disadvantage if you don’t have the right levels of protection in place.”
“I need the board’s ongoing investment to stop a breach happening to us because the cost of fixing it and the reputational damage and loss of trust with our customer base could result in a catastrophic hit for the business that we may never recover from. We work in a competitive landscape where a host of other viable supermarkets will quickly step into that gap we currently fill, and all trust from our customers and suppliers will be lost.”
It's a stark exchange that sounded familiar to many others in the room. As they recounted conversations had with their own leadership, it was clear that all in attendance were really proud of the teams they’d assembled, the passion with which they held cyber risk, and the technical expertise they had. Most were using technology and partners to compliment and support their in-house teams.
A leading UK fashion retailer offered an effective lever they use to keep levels of investment optimised within their business:
“We haven’t knowingly been hacked for several years, but I present to my board three things. A) Our vulnerability and attempted hack volumes. Attacks we’ve prevented. B) The results of our stress tests on our systems and people...phishing simulations- which disappointingly remain stubborn despite lots of training and compliance. C) I pull together threat intelligence and share what has happened to others in our market.”
Key takeaways and recommendations:
NCC Group hosts these round table discussions to spark insightful conversations amongst diverse groups of cyber security leaders and share ways to make their businesses - and the world - a safer and more secure place.
When looking back at this event, there were three main topics that received extra attention during the discourse:
1. Threat modelling. Map your risk to financial spending. Quantification can be challenging but prioritise the most important things to you as a business and analyse the cost of losing them. Ensure your modelling is tangible so your leadership can see the cost of loss and/or damage for themselves.
2. Don’t see compliance as a tick box exercise. One CISO mentioned that they installed a password policy which met the compliance threshold. But when they scratched under the surface with their own audit, they found that over 800 members of staff were using the same credentials to log in to the same critical operating system. Compliance can provide a false sense of security. It’s best to conduct your own due diligence deeper into what the regulations may be asking for.
3. Review your simulation tests and threat intelligence and create an action plan. Adjust your investment levels and heighten defences accordingly. As often as a cyber-attack can be random, there are also trends (regional, sector, types of attack) that you can account for.
Senior Manager, Retail & Consumer Markets
Kathy is a senior commercial lead across several vertical sectors, and more recently the Retail and CPG sector. With over 25 years of experience in cloud, security and managed services, Kathy has engaged with FTSE 250 organisations across the sector to resolve cyber challenges, including large retail corporates, leisure, gambling and casinos. Kathy is passionate in delivering sustainable security solutions, generating mutual benefit by working in partnership with clients to provide a secure infrastructure for their enterprise through market leading solutions, services, and expertise.
Secure competitive advantages in a dynamic retail marketplace.
Speak to one of our retail and consumer markets cyber security consultants today