On Monday at NRF 2020: Retail’s Big Show, three representatives of one of the most crucial — and poorly understood — professions in retail explained the basics of what they do, how retailers can (and should) work with their own competitors to do it better, and the urgent need for more talent in this particular area. The discussion was led by Rich Agostino, senior vice president and chief information security officer at Target; joining him were Dave Estlick, chief information security officer with Chipotle, and Adam Mishler, vice president and global chief information security officer for Best Buy.
Agostino began by bringing up early, notorious data breaches, which “got a lot of attention, and it helped clarify what we were up against.” Which is not, he explained, what people think it is: The popular image of a hacker is a solitary young man in a basement somewhere, eating stale cereal and peering feverishly into his computer, looking for trouble to get into. “Hackers don’t wear hoodies,” Agostino said. “That’s not the enemy.”
Hackers don’t wear hoodies. That’s not the enemy.
Rich Agostino, Target
Real hackers are criminal organizations, and like all organized crime, they exist because there’s money to be made. A credit card number, address and CVV number from the back of a card provides access to what’s in the account. The going rate on the dark web is 10 cents on the dollar, which means that if there’s a $5,000 line of credit, the hackers can sell it for $500. Multiply that by tens of millions of accounts, and it’s a serious business.
The hackers, Agostino made it clear, are serious about what they’re doing. “They’re an organization,” he said, “a dozen or so people, maybe as many as 50 or 60. They have deep technical skills, so they can build a lot of their own tools, and they have access to a vast marketplace on the dark web where they can purchase just about anything they can’t build themselves. They are also persistent. They didn’t just stumble across your company and see an opportunity. They’re actively looking for a way in.”
And they collaborate. These organizations often team up to try to burrow into system, sometimes attacking from different angles, sometimes working in twos and threes at the same potential weak spot.
What should the industry do? Collaborate among themselves, for one thing. “There are organizations, but a lot of it is very informal,” Mishler said. “We talk to our peers about what we’re doing, what we’re seeing, what the threats are, what works and what doesn’t.”
Another thing the industry should do, the CISOs said, is focus on recruiting talent. It’s a new job — 20 years ago, it didn’t exist — and at the moment there are hundreds of thousands of open jobs in retail information security.
To fill those jobs, and to keep the people you recruited for them, said Estlick, you need first of all to make it clear that this is interesting work; automate as much of the grunt work as possible. You need people to both learn and teach, so they can grow and help others grow. And, of course, they need to be compensated decently. The three-legged approach apparently works; over six years, Estlick’s last organization had a 2 percent attrition rate.