By Steve Winterfeld, Director of Cybersecurity, Nordstrom
The session Integrating Retail Cybersecurity, Loss Prevention, Risk, Fraud and Privacy had a very engaged team. We had active participation from Fortune 10 retailers, major banks, the health industry and vendors. Our discussion focused on what companies are doing to integrate functions including cybersecurity, loss prevention, risk, fraud, and privacy.
The group expanded the list to include audits and the customer experience. One participant offered an example: a company that brought in a computer forensics company that conducted an investigation found out the fraud team had already done the same analysis—and reported it to their leadership. This duplication of effort and lack of synergy is costing companies money, from both revenue and internal expense.
The group talked about different organizational structures and the impacts those can have, but generally agreed the key to strong cybersecurity was not dependent on how anyone was organized but on how clear roles were and what process were in place to drive collaboration and integration. Some of the participants talked about how governance bodies provided this function, and others used knowledge management systems. Everyone said this was still an area in need of improvement, and there were still challenges to coordinating detection and investigations across traditionally stove-piped teams.
We talked about how companies were trying to develop both tool and data management strategies for optimization of security and compliance. Some problems were solved by having the different organizations use the same tools and databases. This ranged from ticketing systems to actual security capabilities like web application firewalls.
Finally we discussed ways to develop metrics that drive decision-making and process improvement around integration of protecting the company—its employees, customers, and intellectual property (depending on the industry). While no one felt they had a mature system, everyone felt this was a key step. We spent some time talking about metrics by function and level of management. We agreed that metrics should drive awareness and facilitate decision-making.
Overall there were a number of interesting perspectives shared by the team, but at the end of the day, we agreed that each company needs to develop its own program. Here are some questions to help you develop yours:
- Which organizations conduct activities that tie back to protecting critical data?
- What data do they leverage to conduct their analysis (i.e. IP addresses)?
- Where there are commonalities (i.e. fraud and information security incident response) how can they collaborate?
- What tools can multiple organizations leverage to accomplish their missions (think big data here)?
- What metrics can we use to drive integration and collaboration?
Steve Winterfeld is the Cybersecurity Director for a fortune 300 Retailer. He supports cyber-architecture/-engineering, vulnerability assessments and incident response. Coordination with external vendors, subsidiaries, partners as well as internal departments like privacy, fraud and risk are critical to the company’s success He holds a master’s in computer information systems and has published a book on cyberwarfare. He holds CISSP, ITIL, PMP and PCIP certifications.