As former director of the U.S. National Counterintelligence and Security Center, Bill Evanina is adept at dealing with high-stakes threats.
But the list of threats — both visible and invisible — that retail loss prevention and cybersecurity executives face today is significant, Evanina told attendees at the NRF PROTECT conference at Cleveland’s Huntington Convention Center.
“Retail has never been in a position to have threats that are so comprehensive, complex and persistent than they are now,” said the founder and CEO of The Evanina Group, which provides risk-based security assessments for CEOs and boards of directors in the United States and Europe.
“When we look at cyber, even within the cyber threat, it’s complicated – from ransomware to DNS attacks and business email compromises all the way down to power outages and natural disaster,” he said. “The retail ecosystem has a significant pressure point just in cyber alone.”
NRF PROTECT 2022
Did you miss NRF PROTECT 2022? Take a look at our event recap.
Evanina also pointed out the very real physical threats experienced by retailers that get caught in the crosshairs of protests and violence. “Geopolitically, we are so bifurcated right now. We see a lot of that anger spill out into the streets, and where that manifests itself is retail,” specifically vandalism of storefronts and smash-and-grab looting and thefts.
The intelligence veteran recommends a holistic, “enterprise-wide focus for any company” when trying to mitigate risk. That includes bringing in other staff, management and leaders who are not part of the company’s LP or security departments.
Evanina and Scott McBride, chief global asset protection officer and CSO for American Eagle Outfitters Inc., discussed the need for even the smallest of retailers to have a “risk intelligence function within an organization.”
The employees for such a risk intelligence hub probably already exist within the organization, Evanina said.
“What I find in my business right now, inside an organization, there are data feeds and intelligence across the ecosystem,” he said. The risk intelligence hub should aggregate the data, put it in a readable format and disseminate it to the company and leadership. “And most importantly, advise and inform every employee that’s part of the company,” he said.
There are a number of free resources to collect risk intelligence information, Evanina and McBride said, including signing up for state attorneys’ alerts, and getting involved with Domestic Security Alliance Council and Overseas Security Advisory Council outreach programs.
From there, retailers must dissect the threat intelligence and contextualize it to their own company’s situation.
Failing to be a risk-aware leader and planning for all contingencies could be costly. “The enormousness of the threat that retail faces right now is across the board,” Evanina said. “It’s going to be imperative that every retailer works collaboratively within all the verticals in their company to be able to facilitate that.”