The common image of a hacker is that of a shadowy figure in a hooded sweatshirt attacking organizations alone from a dark basement. But that is not the hacker of today, says Rich Agostino, senior vice president and chief information security officer for Target.
Agostino, who joined Target in 2014, not long after the company suffered a large breach, says hackers generally work in teams that look more like an IT organization than a criminal operation. They are organized groups whose members have specific jobs. They have deep technical skills, so they can build advanced tools or buy what they can’t build on the dark web. They are persistent, and they evolve every day.
“When I came to Target in 2014, I had to think not about how to fix the problem from 2013 and move on, but about how to build a long-term strategy that’s sustainable to continue to evolve, just as today’s hackers do,” says Agostino. “When people talk about the Target breach, I always hear them say that Target was the first data breach. In reality, Target was not the first data breach. There were a lot before and a lot since. But it was significant because it introduced a new threat to our industry.”
Target hired hundreds of industry experts from the worlds of retail, financial services and national security, more than doubling the size of its security team. It also brought all critical functions in cybersecurity in-house to reduce its reliance on contractors and managed services. Finally, Target launched its Cyber Fusion Center, where it monitors and defends its network 24 hours a day.
Agostino described Target’s approach as part of wide-ranging discussion on retail cybersecurity with the CISOs of Chipotle and Best Buy at NRF 2020 Vision: Retail’s Big Show, the industry’s massive annual gathering in New York.
Secure Retail Networks Depend on Cooperation
Retail is a highly competitive industry. But when it comes to cybersecurity, retailers are all being targeted by sophisticated threat actors, and brands should work together to help keep each other safe, argued Chipotle CISO Dave Estlick. “Security is not a competitive advantage,” he stressed.
Many companies have general policies restricting the sharing of internal information, especially with competitors. Even those brands that see the value in making an exception for cybersecurity may worry about the potential legal ramifications of sharing information. Nevertheless, said Adam Mishler, global CISO for Best Buy, brands should strive to work through those concerns.
“Organizations need to have this conversation internally and work with your legal, risk and technology teams and find out what’s OK to share and what’s not,” Mishler said. “We should be working together as CISOs and talking to our industry peers about what it is we’re doing and how we are tackling various different threats.”
Noting that threat actors tend to replicate their tactics across a broad swath of targets, Agostino says retailers should alert each other when they discover a particular threat. For example, if a company identifies a phishing email, alerting its peers and even rivals can stop a threat in its tracks.
“Every minute counts,” he says. “All the bad guys are working together to figure out how to attack us. Companies need to do the same to help defend against them.”
A Shortage in Cyber Talent Leaves Retailers Vulnerable
As recently as a decade ago, CISO positions were not regarded as critical, and many companies did not invest heavily in cybersecurity professionals. That’s caused a legacy shortage of well-trained pros that continues today. “There are hundreds of thousands of open cybersecurity positions available today,” Agostino says. “There will be millions available in a few years.”
Until that shortage abates, companies will have to think creatively about how to fill cybersecurity positions. Mishler says brands should look for people whose skills are such that they can be converted into cybersecurity positions. There are a lot of people with technical skills that are qualified for this work, he added: “We need to build people and help them grow.”
Estlick argued that even people with nontechnical backgrounds can be trained to be effective security professionals. “I’m looking for people who are problem-solvers,” he says. “I’m as likely to hire someone with an economics degree as I am someone with a computer science degree. Economics is about finding patterns in the data, and that is exactly what our job is.”
Keep this page bookmarked for articles and videos from the event. Follow us on Twitter at @BizTechMagazine, or the official conference Twitter account, @NRFBigShow, and join the conversation using the hashtag #NRF2020.