In 2014, the NRF CIO Council — a collection of some of the retail industry’s most senior technology executives — was meeting at Retail’s Big Show. Among the attendees was Cy Fenton, then CIO for Books-A-Million. CNN was playing on the TV in the background in the conference room when a chyron across the bottom of the screen caught the attendees’ attention. The anchor was talking about a recent high-profile retail cybersecurity incident — the Target breach in which hackers stole detailed credit and debit card information for approximately 40 million accounts, as well as personal information on about 70 million Target customers.
NRF’s CIO council currently consists of more than 140 CIOs and CTOs, representing a broad cross-section of retail member companies.
The CNN anchor also reported on recent hacks on Neiman Marcus that compromised 1.1 million customers, and noted that the FBI was working with retailers across the country to protect customer and business information from further hacks.
“The CIO for Neiman Marcus was sitting right across from me,” said Fenton, now a managing consultant for Proximus Consulting Group. “It became very obvious we needed to do something about that and start sharing,” Fenton said at NRF PROTECT.
‘The Year of the Hack’
That day, the CIOs sitting around the table began to understand the significance of the threat on the industry — as well the frequency with which these occurrences would soon happen. Later that year, The Home Depot was hit by a cyberattack that led to 109 million records being compromised; eBay saw 145 million pieces of personal data compromised in an unrelated attack. CNBC (and others) declared 2014 the Year of the Hack.
This council is open to retail sector cybersecurity leaders and technical experts within NRF retail member companies who exchange information on current cyber threats and industry best practices.
“What trade organizations like NRF do is convene people … and that’s what we did,” Fenton said, noting that the group brought “as many security people together as we could,” to form NRF’s IT Security Council, a key forum for cybersecurity leaders from retail companies to work together and learn from each other, in support of efforts to enhance their capabilities to combat cyber threats.
“Hope is not a strategy and there’s no such thing as risk elimination, so what does preparedness look like,” asked Adam Isles, principal and head of cybersecurity at The Chertoff Group, which helped facilitate Council and retailer meetings with government and law enforcement officials, including the Department of Homeland Security. “It expanded another layer on to who are the other stakeholders who can help us.”
Recognizing a need for improvement
Since its inception in 2014, the IT Security Council has been the fastest-growing — and one of the most well-attended — NRF group, with over 250 members currently.
“I remember that first call,” said De Runtz, who is now senior director of cybersecurity and technical infrastructure for Peet’s Coffee and a founding member of the Council. “We needed to have our own call separate from CIOs, so we could get more technical. And then off we went.”
Prior to 2014, there weren’t many chief information security officers in retail and there had only been a couple of major, newsworthy security breaches, specifically TJX in 2007 and Sony’s data breach through its PlayStation network in 2011.
De Runtz remembers highlighting potential data security risks to leadership at BevMo, but it “still wasn’t a retail issue. Fast forward to Target, and all of a sudden — in a matter of two months — I went from the voice calling in the wilderness to sitting in front of the board talking about the resources we needed and how this wouldn’t happen to us,” he said.
Ulta was fortunate at that time, said Diane Brown, now Ulta’s vice president of IT risk management and a Council founding member. The beauty retailer had put in a major credit and debit card tokenization system in late 2013. “For the first time in my life, I was able to sit back and sigh deeply,” she said.
However, the 2014 breaches did raise awareness among the Ulta leadership, so Brown and her team began to focus on securing their ecommerce networks. “It was an ‘a-ha’ moment in the business, and all of a sudden, funding and resources were available,” she said.
Building relationships across the retail community
In 2016 retailers began participating in CyberStorm, a biennial national cyber event to assess and strengthen cyber preparedness and examine incident response processes organized by the predecessor agency to the Cybersecurity and Infrastructure Security Agency, within the Department of Homeland Security.
Being able to share information and cybersecurity plans, and build key relationships with those in law enforcement and the government, have been the biggest benefits of the IT Security Council over the last 10 years, the panelists agreed.
“We’ve done a lot of things over the last 10 years,” Fenton said, “but the best, most valuable thing is the relationships we’ve built.”