What a Retail CIO Needs to Know About Security

When news of the Heartbleed computer virus hit last month, there was a collective sigh that went up across the retail industry. As if the major security breaches of the last holiday shopping season weren't bad enough, now we're facing the prospect that a pernicious bug has been targeting the widely used OpenSSL encryption program over the past two years. You read that correctly: the virus is apparently attacking an encryption program, the one thing in an internet security arsenal that was supposed to help retailers sleep at night.

At no point in the last several decades has a company's chief information officer been more important to the overall organization. That's because if CIOs can effectively manage their customers’ privacy, they'll be able to enhance loyalty, drive sales and improve a company's stock price in the midst of this challenging new environment. The recent hacking of millions of credit cards and other confidential customer information at major retail chains has put information security on the front page. A proactive, savvy CIO can put his company's safeguards on the front page as well.

In the old days, things worked more clearly: A retail CIO linked the tills to the embedded finance system and to some credit card companies. Everything was nice and secure. Today, however, the dynamics are different — even not considering what happens when a major breach occurs. Since traditional retailers are now online commercial enterprises in their own right, they need to open their supply chains to every party that helps them get merchandise to the digital consumer. Add to these developments other trends that could make enterprises more vulnerable — "Bring Your Own Device" to work and the storage of vast amounts of data on a cloud ecosystem.

So what are CIOs to do in this challenging new atmosphere? CIOs need a multipronged strategy that starts at the very top of the organization — the CEO and the board of directors. Many retailers have embraced newer technologies very rapidly in the last 24 months. In some cases, they haven't made sure that their company's security policies and procedures have caught up with these technological advancements. It's important that they overhaul everything in a holistic manner focusing on three elements: process, technology and partnerships.

On the process side, the CIO's colleague, the chief security officer, needs to make certain that everything adheres to a single standard. Start with policies on how employees access information and share hardware across departments. Many problems have their roots in faulty policies and not in the technologies used for information protection. In fact, a recent survey revealed that 21 percent of data security incidents were because of the physical loss of items like PCs, hard drives and laptops. Another 29 percent of security issues originate in social media forums. So half the instances are not the result of technology issues.

Business teams must take responsibility for classifying company and customer data in different tiers. The attack surface is expanding rapidly as an ever-increasing volume of data flows through multiple channels. To be sure, safeguarding all data at an equally high level can prove to be an unwise strategy. Would you ever consider the same level of protection for ALL your personal assets? For instance, would you keep a $1,000 electronic gadget and $10,000 of your fine jewelry in a bank's safety deposit box? Probably not.

Along those lines, it's critical that you identify the crown jewels of your organization's data and secure these with differentiated security guidelines. Therefore, even in the unfortunate event that a breach takes place, your most precious data is the last and toughest to access. The time it would take the intruders to get anywhere near it will be enough to detect the breach and safeguard the critical data.

Technology is also vital to the CIO's strategy. The arsenal of technology safeguards within the CIO's office is formidable — secure browsers, application firewalls, secure remote access, web content filters, desktop encryption, identity management, network access control, malware protection and the list goes on. Security, however, can't be viewed merely as a series of threats to be overcome. Building a fortress around your data is only half the battle.

Add into this mix the fact that retailers are beginning to source technology through the cloud. Very little of what was once securely in-house remains there. When something such as an internet virus attacks servers around the world — servers that are invariably linked because of this new paradigm of web retail — the effects can snowball very rapidly. I heard someone ask a technology expert how he rated Heartbleed on a scale of one to 10, with 10 being the metaphysical worst. His response, which he didn't flinch in delivering, was an 11!