Cybersecurity is a serious issue in retail yet many retailers have yet to put in place a serious cybersecurity strategy. In this panel session review the results of RH-ISAC’s annual CISO Benchmark Survey, discuss security trends in retail and learn how retailers like Ulta Beauty are working with companies like Fortinet to protect their data and brand.
Panelists:
Diane Brown, VP, IT Risk Management at Ulta Beauty
Bryon Hundley, VP of Intelligence Operations at RH ISAC
Courtney Radke, Retail & Hospitality Field CISO at Fortinet
Moderator: Julia Hare, Editor-in-Chief at RETHINK Retail
TRANSCRIPT:
Julia Hare:
Thank you, everyone, for joining today, I am Julia Hare, Editor-in-Chief of RETHINK Retail. A leading media outlet covering DTC and retail trends. And joining me today, we have the CISO from Fortinet, the CISO from Ulta Beauty, and a VP from RH-ISAC. We’re together discussing some of the trends from the RH-ISAC annual benchmark report. And this is where they interview and look into some of the top security trends and risks from retailers as well as what some of their plans are for the year. So happy to dive into that with each of you. I will let you guys go ahead and give a quick introduction.
Bryon Hundley:
I’m Bryon Hundley. I’m the vice president of Intel Operations with the RH-ISAC. I’m actually newbie at the RH-ISAC. So I just came on the organization back in October. However my background is in cyber defense. So think threat intelligence, incident response, vulnerability management, threat hunting, security engineering, and those areas. Working with the RH-ISAC is interesting because we work with such a wide breadth of different organizations and the intelligence and the collaboration that comes and really gives us, I guess, a unique perspective on the threats that impact our membership. So I’m very happy to be here and be part of this panel.
Courtney Radke:
Yeah. And I’m Courtney Radke. I’m the field CISO for retail here at Fortinet. We’re a global cybersecurity company. My role focus is on retail, supporting retailers of all shapes and sizes. And prior to Fortinet, I’ve been here a little over two years now, I was in the retail industry. So for the last 10 plus years in the retail industry. Last stop was in the quick service restaurant industry. So I agree, 10, 15 years ago, security looked completely different. And so it’s a continuously moving target. And I’m happy to kind of talk about what some of those challenges are that retailers are facing today.
Diane Brown:
Hi. I’m Diane Brown, and I’m really excited to be on this panel today. I am the VP of IT Risk Management at Ultra Beauty. I’ve been there for 14 years as of April. And it’s very interesting to see how this industry has changed in those last 14 years. 14 years ago, ransomware and things like that weren’t even in the picture. And now, you know that, and cloud security, third party risk, and phishing is top of mind for all of us. And I’m also very excited to be on the board of the RH-ISAC. And that organization is just a fantastic organization for sharing of information because nobody can do it by themselves. We’re stronger together. And as a collective, the retailers by having these types of organizations is just so … It makes our lives so much easier.
Julia Hare:
Diane, Courtney, Bryon, it’s great to have all three of you on the call today from all different angles. I’ll start with you, Bryon. From the RH-ISAC perspective, what were some of the top risks that you uncovered in this report?
Bryon Hundley:
Oh, my goodness. So some of the top risks that are on top of the mind for our members are cloud security, ransomware, third party risk, and then a grouping of phishing, business email compromise in malware. So it’s almost like the usual suspects for 2020, 2021, and now 2022.
Julia Hare:
Excellent. And are there any other security risks that you’re hearing from your customers, Courtney, is a lot of the same of what Bryon just mentioned?
Courtney Radke:
Yeah. It’s the broken record, but it’s a lot of the same. It’s ransomware, it’s where are they going with their cloud strategy, the who’s on first of the shared responsibility model, the application security. We’re seeing a prevalence of botnet attacks. So on mobile and loyalty apps. A lot of organizations think they just had a record year where people are signing up for their mobile and loyalty. It’s not people. It’s bots. They’re trying to scrape information, get to where the money is and that’s the data. And a lot of that comes from that third party risk as well. So a lot of organizations had to pivot quickly over the last couple years. They’ve made a lot of partnerships, some great, some didn’t have standards in security. And so they’re trying to unravel this web of where is my security risk based on, what I have deployed internally, and then who I’ve made my partnerships with.
Courtney Radke:
So we’ve seen basically the same ones. And I think what’s important to note is while they’re … it seems like the same type of risk, there’s kind of two camps. It’s, one, the advanced ones, the threats that are continuing to evolve, the ones that we have to keep up with. They’re using the same tools that we use, the AI and machine learning to get into the networks in new and exciting ways, but there’s also the same old, the known knowns, that they’re just reusing the same techniques that have been used for quite some time because they’re very successful and it’s very lucrative.
Courtney Radke:
So we’re seeing that. We’re seeing customers facing all of those same challenges. I think a lot of it comes down to … And as we’ll touch on this, throughout this, a theme is people. They’re attacking people because that’s the number one threat vector. And so I think as we kind of talk through this and what are some of the mitigation strategies, its number one is people. Train the people. Have them understand where the risk is and make sure that they know that they’re a core and integral part of the process.
Julia Hare:
Training people is huge. And it seems like there’s you said advanced threats and the known threats. Would you say that either category tends to be more dangerous? Are the advanced threats coming out surprising you?
Courtney Radke:
Some of them are. Again, the speed at which they can create them because ransomware … It’s a business. Anybody can spin up a ransomware campaign if they just jump online and download a package. It’s ransomware as a service now. There’s really these conglomerates of companies coming together that say, “Let’s create the best package out there and spread it far and wide or create targeted attacks.” I think however though, the known known attacks, the ones that we feel that were confident that we’re protecting against that they change just a little bit and slipped past your defenses. Those may be just as damaging. I think the key here is whether it’s a known attack that’s been used before in known vector or it’s a new and advanced attack, how quickly can you identify it in your network, the dwell time, which can be the most damaging, and then how far did it spread before you knew? I think that’s really the most important thing. Not what the attack is, but how far did it go and how long was it on the-
PART 1 OF 4 ENDS [00:08:04]
Courtney Radke:
Not what the attack is, but how far did it go and how long was it on the network?
Julia Hare:
And how long did it go undiscovered? Diane, from a retailer perspective, obviously Ulta Beauty, huge, successful, loved by all of your consumers. So lots of data, as Courtney said, for them to want to steal. Have you guys experienced threats like we’re talking about, and how are you guys navigating this?
Diane Brown:
So, yes. And to tag on to what Courtney said, it’s the people, process, and technology. There’s a ton of good technologies out there, but it just takes one person to click on one phishing email and provide credentials, especially if they’re an admin or something like that, to make that ransomware risk kick in. So we’ve been focusing a lot on making sure we have good technologies in place, and also trying to build out our security ambassadors. Trying to find people throughout the organization that can help us spread the word, and help us when we have zero-days and different types of phishing things to get that information out there. Because it just takes one person, literally one person.
Diane Brown:
We all run our phishing campaigns and we’re like, “Oh yeah, we only had 3% click.” Well, 3% of 5,000 people, that’s a lot of people. Therefore, it sounds really small in numbers, but there’s such an effect on that. And it’s evident for us because of our pen test. Every time they get in on our pen test … Well, after we’re on the inside, it’s because they escalated privileges because they guessed somebody’s password, and it’s people … It’s so hard to sometimes, trying to tell that story about why you should do this and why it’s important to the organization. Sometimes it’s challenging. So that’s why we’re trying to really start this ambassador program, where we can get more people excited about it, and more people to understand the potential risks. It’s just, it’s a challenge, like I said.
Diane Brown:
I agree with the top four that were on the RHI stack. That matches up exactly. I just presented to the audit committee this week, and those were the same four that were my top four. So it’s very common, what Courtney and Bryon said. Bryon said that that’s the things that are happening in the world, and we have the technologies in place. But how do we get better at the people and the process side of it? Because, to your point, they’re on your network, the dwell time is you-don’t-know-how-long. Well, if you have good processes in place that are monitoring and alerting on these types of things, then that’s going to help you reduce that time. But also … Yeah.
Diane Brown:
So, it’s a fun game. I mean, it’s a game. It’s a business. It’s a business for the bad guys and it’s a business for us, and just like we have to learn our internal business, we need to know the business of the hackers too. We need to know how they operate, what they do, and things like that in order then to try to stay even. I don’t know if we’ll ever get ahead of them, but at least we need to try to stay even with them. With some of their technology, especially.
Julia Hare:
It sounds like you have to be on the defense and offense at the same time. It’s probably easier said than done. When you talk about security ambassadors, is this a newer concept that you guys are rolling out? Has it been around a while? And is it difficult, from a human resources perspective, to get people to want to be part of that?
Diane Brown:
There are a number of companies today that do it very well. They have Security Ninja programs, whatever. That’s our biggest struggle right now, is figuring out, what do we want to call it? What will be something that will get people excited and want to become part of it? And it’s pretty obvious when you build relationships across the organization, that’s why those are so important. You get to know who are the security-minded people across the company, and then we just glom onto them. We’re just like, “Okay, you need to be my new best friend. You and I are going to work together. If I have a project, I’m going to include you on it and try to get you on there.”
Diane Brown:
Because if you can get these people that will then, in their meetings, talk about it and help present this information, I think that is what’s so important. Because it doesn’t matter how big your team is, how much online training you have people do. If it’s a 10-minute course, 10 minutes later they’re off on something else, and they’ve totally forgotten what you said. How do you keep that front-of-mind all the time? That’s why trying to do it through the relationships we have across the organization is what we have found has been the easiest to work. Haven’t gotten to the HR side of it yet to see how they feel about all of this. They know that we’re working on it, but I’m excited for the progress we’re making.
Julia Hare:
And you have to make progress really quickly, it sounds like to keep up in this space. Bryon, I’m going to pass this to you. What were some of, say, the top three identified initiatives that retailers are focusing on in 2022 as it relates more back to the report and study?
Bryon Hundley:
So definitely ransomware resilience, planning. I mean, with the rise and the focus of ransomware over the last few years, that’s definitely top-of-mind. Especially the ability to defend and respond to ransomware. And then you’ve got security for hybrid-cloud and on-prem environments. I mean, cloud is on top-of-mind for all of our systems and organizations, especially as they’re going through this digital transformation process. And then you look at, after COVID, you’ve got employees who are working remotely. So we’re getting that hybrid-cloud environment, which makes it a much more … It’s much more challenging to secure, because that attack surface has just grown tremendously.
Bryon Hundley:
Then you got vulnerability management. That’s another area that we’ve seen. The vulnerabilities since, we’ll say, Solar Winds and just prior to Solar Winds have just really been a thorn in our CISOs’ sides when it comes to securing the environment, just because of the criticality of those environments. I’d like to throw two more in there, and that’s zero-trust architecture and then application security, because they’re so closely tied to the initiatives that our CISOs had. And that’s all important, especially when it comes to ransomware defense, and that ability to secure the identities within your environment, and then shore up those vulnerabilities to prevent the attackers from, or hopefully prevent the attackers from getting in.
Julia Hare:
I wanted to actually pass this to Courtney real quick, because based on what Bryon was saying and the great point you brought up about the security risks from the trend of remote work that stemmed out of the pandemic, were retailers that you work with prepared for that? I mean, whether that’s either the corporate folks working from home, or even customer service and the new programs that were so quickly rolled out.
Courtney Radke:
I don’t think initially a lot of them were. They had distinct technologies, whether it was VPN or something else, but they found that their users wanted to be more agile. They wanted to have access to technology, SaaS applications, and the barrier that was in place, just from a VPN or something else, was a little too much in some of those cases. But they got around it, or they got through it, and I think by now they have their plans in place. Whether it’s VPN, or whether it’s something else. I think a little bit caught off-guard, but a lot of them had existing technologies they could leverage, and they didn’t even know it, and they used those. Or, in this industry, there’s a lot of technology out there. There’s a lot of partners to help get through some of these things.
Courtney Radke:
I think what it shined a light on and what I always subscribe to is this mantra of operational do no harm. Meaning, security shouldn’t be looking for places to say no. They should be looking for places to say yes and move the business forward, innovate it. Whether that’s for the business directly, for the consumers, or whether that’s for the business and their employees. So looking for avenues to just remove friction, whether that’s in the buying process or whether that’s in users getting access to SaaS applications or other applications on the network securely. So-
PART 2 OF 4 ENDS [00:16:04]
Courtney Radke:
SaaS applications or other applications on the network securely. So I think they’ve moved into that now. They want to make sure that whatever plan they have in place, because work from anywhere is not going away, that they don’t have to treat their employees’ home offices as coffee shops anymore. I think that really speaks a lot to this zero trust methodology. And it’s an architecture, it’s a framework. It’s not a technology. As one of my colleagues say, you can’t go out and buy the acme zero trust firewall. It’s not out there. It’s a foundational set of principles, of architectures and different technologies coming together to make sure that you’re protecting the people, the devices and applications, no matter where they are, no matter what network they are, and continuously evaluating their security posture.
Courtney Radke:
That’s where we’re going to. That operational do no harm that I just talked about often seemed like that was counterintuitive to zero trust. It was a hard thing to implement over the last several years, but I think we’ve really gotten into this sweet spot where now moving into a zero trust methodology, this architecture, even if it’s just a Lego block moving into that a piece at a time, I think it’s actually possible now. And so what I see is a lot of organizations moving to that, moving into if they had VPN without MFA, they’re putting an MFA. If they had MFA, now they’re trying to move to password lists, authentication both for customers and for their employees. So they’re just trying to make better what they already had, and then move into hopefully that zero trust methodology.
Courtney Radke:
But what I wanted to also talk about here a little bit is what I didn’t see on that initiatives, and we just spoke about it a little bit ago, people. The training should be really number one up there. And I think if you move training to know number one and zero trust to number two, we’ll find that it’s going to take care of a lot of those challenges underneath the risk management, the vulnerability management. A lot of those things are going to be solved by ensuring that your people are trained up and that cybersecurity is everybody’s responsibility. And then that zero trust methodology’s just protecting the entire ecosystem from users’ devices and applications everywhere.
Julia Hare:
Mm-hmm (affirmative). Great points, Courtney. It’s all about the people. And it sounds like even though some things are counterintuitive, there’s a huge foundation that comes into play when you’re talking about the zero trust architecture. Diane, I’m going to pass this to you. In addition to some of the things we just mentioned, the hybrid cloud environment and the other initiatives that Bryon brought up, are these ringing true for you at Ulta Beauty?
Diane Brown:
So the cloud, of course, is one of the challenges I think most of us face. It just dependent upon what cloud you go into. And for some of us who are in multi-cloud environments, and how do you take your tools that your team knows and loves and expand them out? Because certain cloud players don’t want you to have their own set of tools they prefer that you use, and they’re perception is they’re working better than what you have today. And how do we constantly keep the people knowledgeable about these tools and know how to use the tools and how to take what the findings are and remediate the findings and things like that. So I totally agree with Courtney on the whole people issue. I always tell people if I could just get rid of the people, our company would be really safe.
Diane Brown:
I don’t have to worry about anybody’s account getting hacked, anything happening. If you can just get rid of the people on the internet, life’s good for us. But that’s not reality. That’s not the future. And so how do you make it easier for people and how do you deliver, like you said, the idea behind the cloud is you can be more agile, you can have more innovation ideas going through, but how do you do that but give them guardrails to operate in? And that’s one of the things we’re focusing on now is, “Okay, we know you need to do this. We know you want to do that. That’s one of the advantages of the cloud. But we have to be able to do it securely.” And I think having, once again, getting back to those relationships and those conversations, we’re building out our relationships with our or innovation teams to say, “Okay, what works for you?” To Courtney’s point, I don’t want to always say no.
Diane Brown:
Sometimes I have to say no, but how do you go about and say, “Okay, we know you want to do this. We know you want to do this. We think this would be the best way for you to do it. Does that work for you?” And try to go at it from that perspective versus the, “No, but.” Everybody says, “Say, “No, but,” or, “Yes, and,” and all that.” But how do we actually do it so that it’s fruitful for both sides, and then I don’t have my security team, my cloud team coming to me in a panic saying, “You’re not going to believe what they just did.” And you’re like, “Well, did you let them?” “Well yeah, then okay, I do believe they just did it because if you let them, they’ll do it.” If you don’t put something in to stop people, they will do it. So I think that’s one of the challenges. I agree 100% that training, that focus and getting people, just having that security mindset from the very beginning is just so imperative to us being successful as leaders of the companies that we’re in.
Julia Hare:
With all of the responsibility on your shoulders as the CSO for Ulta Beauty, would you say the number one initiative ties back to the people and process that you just mentioned, or is there something else that you would say is your number one?
Diane Brown:
So as Courtney says, it should be number one. Is it number one from a training perspective? No. But from constantly trying to be in front of them, we do a lot around putting tips up, we do a lot of going to people’s team meetings and talking to them and explaining to them. We try to do a lot of things, like we put the report phishing button in email to make it easy for people to report Phishing. And that actually was for something as small as that, it made such a difference, otherwise people would email me and then I’d email the team and it wasn’t very efficient to do this. But now they can send an email to this email box. It’s all automated. It goes in and says, “Okay, is this a bad email? Is this a good email?” It checks it out. And then it goes out and it responds back and says, “Yep, this is good. No, this is bad. Thank you.”
Diane Brown:
And then we automatically pull it out of everybody’s mailboxes. So it’s things like that if you can make security easy for people, then they’re more willing to do it. Just like this year, one of the things we’re going to be doing is increasing our password length. And everybody’s like, “Oh my gosh, why would you do that?” Well, if I do that, according to the pen testers, we can go down to changing your password once a year. And I did preliminary surveys because it’s all about the socialization, getting everybody excited and on board with it.
Diane Brown:
And I went to the executives and I said, “If you had to only change your password once a year, could you come up with a 16 character password?” And they’re like, “Okay, where do I sign up?” Because with BYOD devices and your laptops, trying to synchronize your passwords every 90 days when you change them becomes very painful for people. And we’re not to the point yet where we can go passwordless, as a lot of companies are doing. But that’s something in the future that we think about. But it’s how do you make things easy? Somebody told me once is how do you serve chocolate with your kale? Not everybody likes kale, and so how do you make it so you can just put that little piece of chocolate on that kale and people will think, “Wow, this isn’t so-“
PART 3 OF 4 ENDS [00:24:04]
Diane Brown:
Put that little piece of chocolate on that kale and people will think, “Wow, this isn’t so bad. I get a piece of chocolate with this, too.”
Diane Brown:
That’s how we try to think about things. We know we need to do it, but how do you make it so that people are more excited about it, versus they roll their eyes every time you walk into a room or on a Teams meeting? They’re like, “Oh no, not them.”
Julia Hare:
Yeah, no, that makes total sense. Especially from a efficiency standpoint. If I could stop changing my password every 90 days, that would be amazing.
Diane Brown:
There you go.
Julia Hare:
Courtney, hearing this from Diane, is there anything else you would add to that retailers should start doing this year?
Courtney Radke:
I think what they should start doing, and it kind of went into what Diane talked about. Within the organization, there’s people that like one cloud platform or another.
Courtney Radke:
Whether it’s for the innate tools that they have, or the knowledge that they have in programming in one, or just building what they want in a specific cloud environment. But we know that most organizations are not in one cloud environment. In fact, most organizations are in multiple-cloud environments.
Courtney Radke:
So I think one thing that needs to start doing; and we’re already seeing that; is looking for this abstraction layer that the development, the innovation, all of that stuff can happen under whatever cloud you’re on. But above that, the network and security should be across all of them. It should be one network and security policy configuration service across all of them; and those do exist.
Courtney Radke:
So I think what that’s doing is it’s removing that “No,” right? You’ve already built your security policies. You built your network policies above all of the clouds. And now you’ve just freed up your teams to innovate, to move quickly to do that.
Courtney Radke:
You know, CICD-type environments where security has controls in place, they have visibility in place. So they never have to come to the table and say, “No.” They can say, “Why did you do that? Because I see everything across every cloud.” But they don’t ever have to say “No.”
Courtney Radke:
So I think retailers more often now are moving into this platform approach: a product or a tool that solves just one challenge, does just that. It’s that problem, and it doesn’t have really a long-term benefit.
Courtney Radke:
But when you move into this type of platform approach, which has a lot of integrations and enables a lot of automation throughout the environment, that’s where we’re starting to see retailers move.
Courtney Radke:
So I think from a cloud perspective, that multi-cloud security and networking is key. But that’s really across any part of the retailer’s environment.
Courtney Radke:
Truly subscribing to a platform, we often say that retailers are either leveraging a platform, becoming a platform themselves, or maintaining status quo. And we all know, in retail, maintaining status quo doesn’t last for very long.
Courtney Radke:
So platform approach to networking security, I think is one thing that retailers need to … they already are … but start doing more of.
Julia Hare:
Very good. So the platform approach, the multi-cloud security; are there any things that retailers should stop doing that they, for some reason, keep doing that you’re seeing from the client side?
Courtney Radke:
Yeah, I think we’ve talked about it a lot here. When it’s the people process and technology; often when an issue occurs, or risk is looked at, it’s often looked at as the technology: “Well, it’s moving so fast, we have to implement it so quickly. We’re having to do all of these things.”
Courtney Radke:
It’s not the technology; you need the technology. Technology is what’s making your business run. It’s the revenue generator. So stop looking at technology as the line item or the cost center and the problem. It’s really the people. If you fix the people, that will fix the process, and then the technology just works for itself.
Courtney Radke:
So I think treating technology truly as that revenue generator, making sure that you’re investing in your people that understand the technology, and then fixing the processes across the board: that’s really where I think where we need to go. And we are.
Courtney Radke:
Organizations know that they haven’t been able to pivot over the last couple years without technology. It’s not just happened with hamsters running on wheels. It’s everything running behind the scenes from multi-cloud to IoT, all of the omnichannel experiences; that runs on solid infrastructure, and all the way up into the cloud environment.
Courtney Radke:
That’s not going to change. It’s going to keep moving. So we need to continue to focus on the people, fixing the process, and treating technology as that revenue generator.
Julia Hare:
Excellent. Well said, Courtney, and you Diane as well. Brian, this was a great discussion around the RH ISAC report findings and diving a little deeper into it, as well as the trends for this year.
Julia Hare:
It was great having all three of you on this discussion today, and I hope that we can do this sometime again.
Diane Brown:
Thank you, Julia. It was a pleasure. Courtney and Brian, thank you very much. I learned a lot today.
Bryon Hundley:
Yeah, thank you for having me. I really appreciate it; this was a fantastic conversation. You probably saw me nodding my head quite a bit. I was in complete agreement with everything everybody was saying; it was outstanding. I could give a big Amen for that and a hand clap. So thank you for having me.
Courtney Radke:
Yeah, same. I don’t like hearing that the risks are all still out there, but I do like seeing that there’s a lot of focus on fixing them out there. So thank you to Diane, Brian, and Julia for being here today. I just appreciate the time to share my insights and learn from all of you on here.
Julia Hare:
Likewise, until next time.
