Protecting the systems at Albertsons

NRF PROTECT: Observation, patience are key to maintaining supply chain cybersecurity
Peter Johnston

On Thursday morning at NRF PROTECT, two employees of Albertsons Companies — Jack Hamm, cybersecurity CTO, and Chad Walker, director, portfolio information security office — gave a presentation entitled “Purdues and Pur-Don’ts: A practical approach to supply chain cybersecurity at Albertsons.”

Albertsons provides food and drugs to customers in 2,200 stores, an effort supported by 20 distribution centers and 22 manufacturing plants. Hamm and Walker lead the teams that work to protect and maintain systems and networks that enable the organization to operate.


Did you miss NRF PROTECT 2022? Take a look at our event recap.

The two outlined the challenges many retailers face. Distribution centers and manufacturing plants operate through a multiplicity of systems, many supplied by third-party manufacturers. There are a lot of things that can go wrong with these systems, whether from malfeasance, accident or plain old wearing out.

Some of these systems, Hamm reminded his audience, are legacy systems. That can mean there probably isn’t a supply of extra parts just lying around; particular parts might not even be manufactured anymore.

The Albertsons team had some advice for people taking on a similar challenge. One step is to remain focused on protection; at every possible point, operating technology should be protected from information technology (and potentially warring bits of itself) by firewalls and other secure perimeter networks. Another is not to be in a hurry to master the operating technology.

Retail loss prevention

Browse resources and read the latest articles and press releases related to loss prevention.

Every task, Hamm noted, involves assets and workflows. Don’t try to understand all the behavior, he said — just what normal looks like. It’s also important to watch a system for a while. There are processes that get done once a month, once every six months, once a year. Don’t be in a hurry to do things. When you know what it’s like on a good day, and then you see something new, you’re better positioned to recognize and deal with it.

Hamm asked the audience to consider an image he shared from World War II: the outline of an airplane with bullet holes, the majority of which were clustered on the wings and tail. “You’re tasked with armoring the planes,” he said. “Based on this, where would you put the armor?”

One of the audience members got it right: “Not where the bullet holes are.”

And why not? “Because those are the planes that made it back,” he said.

Related content

The surprising career trajectory of cyber investigations expert Cynthia Hetherington
Picture displaying a magnifying glass and keyboard
From roadie to retail, the founder and CEO of Hetherington Group shares insights from her journey.
Read more
What it means to work in retail loss prevention
Security personnel in a retail store.
7 roles in loss prevention and asset protection that align with a retailer’s organizational structure and culture.
Read more
Strengthening retail risk management and resilience through collaboration
Individuals at NRF PROTECT.
The NRF Retail Law & Risk Workshop brings together retail legal, risk management and security teams for discussion.
Read more