The power of cybersecurity industry collaboration

Target, Chipotle and Best Buy discuss the power of joint intelligence to fight cyber threats
Peter Johnston
NRF Contributor

On Monday at NRF 2020: Retail’s Big Show, three representatives of one of the most crucial — and poorly understood — professions in retail explained the basics of what they do, how retailers can (and should) work with their own competitors to do it better, and the urgent need for more talent in this particular area. The discussion was led by Rich Agostino, senior vice president and chief information security officer at Target; joining him were Dave Estlick, chief information security officer with Chipotle, and Adam Mishler, vice president and global chief information security officer for Best Buy.

Agostino began by bringing up early, notorious data breaches, which “got a lot of attention, and it helped clarify what we were up against.” Which is not, he explained, what people think it is: The popular image of a hacker is a solitary young man in a basement somewhere, eating stale cereal and peering feverishly into his computer, looking for trouble to get into. “Hackers don’t wear hoodies,” Agostino said. “That’s not the enemy.”

Hackers don’t wear hoodies. That’s not the enemy.

Rich Agostino, Target

Real hackers are criminal organizations, and like all organized crime, they exist because there’s money to be made. A credit card number, address and CVV number from the back of a card provides access to what’s in the account. The going rate on the dark web is 10 cents on the dollar, which means that if there’s a $5,000 line of credit, the hackers can sell it for $500. Multiply that by tens of millions of accounts, and it’s a serious business.

The hackers, Agostino made it clear, are serious about what they’re doing. “They’re an organization,” he said, “a dozen or so people, maybe as many as 50 or 60. They have deep technical skills, so they can build a lot of their own tools, and they have access to a vast marketplace on the dark web where they can purchase just about anything they can’t build themselves. They are also persistent. They didn’t just stumble across your company and see an opportunity. They’re actively looking for a way in.”

And they collaborate. These organizations often team up to try to burrow into system, sometimes attacking from different angles, sometimes working in twos and threes at the same potential weak spot.

What should the industry do? Collaborate among themselves, for one thing. “There are organizations, but a lot of it is very informal,” Mishler said. “We talk to our peers about what we’re doing, what we’re seeing, what the threats are, what works and what doesn’t.”

Another thing the industry should do, the CISOs said, is focus on recruiting talent. It’s a new job — 20 years ago, it didn’t exist — and at the moment there are hundreds of thousands of open jobs in retail information security.

To fill those jobs, and to keep the people you recruited for them, said Estlick, you need first of all to make it clear that this is interesting work; automate as much of the grunt work as possible. You need people to both learn and teach, so they can grow and help others grow. And, of course, they need to be compensated decently. The three-legged approach apparently works; over six years, Estlick’s last organization had a 2 percent attrition rate.

More on NRF 2020 Vision

NRF 2020: Retail’s Big Show
 
Building a retail empire starts in the empire city. Find your vision at NRF 2020.
Read more
How to succeed in retail, from the people who know best
 
Lessons in authenticity, storytelling and connection from industry CEOs.
Read more
First-ever “Retail Voices by NRF” Honorees Revealed
 
NRF launches a new community of distinguished retail luminaries in partnership with global media company RETHINK Retail.
Read more