The ISC West conference wrapped up last week in Las Vegas, its immense trade show floor a reminder to security executives of our industry’s importance (and the value of comfortable shoes). Inside the conference’s education sessions there was a bit of handwringing over emerging threats but also hope for how security leaders might better keep pace with the risk landscape.
Segmentation. There was no hotter topic at the ISC West than the Internet of Things—even if there was no agreement on exactly what it means. Its impact on industry was also described in a variety of ways, with “messy” used as often as “revolutionary.” Several expert presenters brought up the Target hack, in which entry through a HVAC system resulted in a massive data breach, and that made “segmentation” the most-heard buzzword related to protection from the risk in the explosion of connected devices. Segmentation, along with a robust network infrastructure and strong policies and procedures, can help companies withstand the threat that IoT presents. You’ll have to live with vulnerabilities for years to come, warned experts, so work hard to limit the damage that can be done.
Communication. Congratulations, said many presenters and experts we interviewed: you’ve earned a seat at the table. Security has become a board-level issue. Success now depends on whether or not you can effectively communicate with them.
“There has probably never been a time when security has been more important to the business but we’re not doing a great job communicating. C-level executives are confused by us, our message is cloudy, confusing, and they don’t see us as coming in to solve their problems,” said Bill Bozeman, president and CEO of PSA Network. He told the story of a friend and CEO of a large public company who routinely complains about his security leadership. “These guys drive me crazy, they have no clue how the business works, they speak to me in confusing acronyms and I am left without the information I need to make decisions.” Sadly, Bozeman said he knows lots of top leaders who feel the same way.
David Tyburski, CISO for Wynn Resorts and its retail offerings, suggested that you should really not talk to senior management and the board about “security.” “You need to relate everything to them in business terms,” he said. Others agreed, and recommended framing security as an element of operational business risk, since that’s something management understands. To top management, it really doesn’t matter if one security trend is up or one trend is down unless those trends have something to say about the business.
Their advice: When implementing security systems and programs, your ultimate goal should be to have them coalesce into a dynamic picture of risk. That way, you’ll have something worth communicating.
Agility. Transformation in the retail industry was mentioned during several presentations at ISC West: automated checkout, layout optimization, smart CRM, in-store personalized promotions, and so on. A corresponding transformation in threats was also a subject of discussion. And all this rapid change requires loss prevention teams to be agile if they are to stand any chance of keeping pace, experts warned. “You have to deliver security at the speed of business,” is how one presenter put it.
Agility should always be top of mind, whether you’re selecting fresh talent or new technology (for some, exploiting the cloud may be a good agility strategy, experts suggested). Agility may also require loss prevention executives to expand and strengthen internal relationships. “The bad guys are more agile so security has to be more agile, and you don’t need to make that harder by keeping things in silos,” said Mike Howard, Microsoft’s chief security officer. “You need to establish touchpoints with all the people in your business that you need to get things done so you can move more quickly.”
Collaboration. There was a “connected security expo” at ISC West, a sort of conference-within-a-conference focusing on threat convergence and integrated security solutions. But the larger lesson was to improve security’s relationship to the other parts of the business. For loss prevention to move forward it must push the idea that security systems can be leveraged across the enterprise to enhance business opportunity. To expand the role of security beyond loss avoidance and become a true partner in the business. Getting retail security solutions approved is a lot easier if they also help to drive sales, improve operations, gain visibility into the supply chain, enhance customer service, or provide other business value.
Skepticism. You didn’t have to stroll for long in the ISC West exhibits hall to hear “no one else’s technology can do this” and similar sales pitches. The functionality of today’s security technology is indeed impressive, but it’s also a space crowded with vendors hoping to take advantage of a hot market and who may not be doing a lot of due diligence with respect to the security and safety of their products. Even product testing can’t always offer the same safety assurance as it used to, a representative from Underwriters Laboratories told us, because today’s software-driven products are dynamic and update functions and features on the fly.
You have to go beyond the sales pitch, warned experts, and select vendors and integration partners with expertise in your business and develop enough internal technology expertise that your team is capable of asking all the necessary questions.