Month: January 2019

Enhance your Cybersecurity Stance with the RH-ISAC’s Hands-on Workshops

It’s no secret that retail, hospitality and consumer-facing companies face cybersecurity concerns. Security breaches damage the trust customers have in a brand, hurt revenue and may even cause permanent damage to the brand.

Every indicator suggests that cyberattacks will continue to strike our sectors, but our collaboration helps all member security departments improve cybersecurity – and we all get ahead of the curve. The RH-ISAC Intelligence Workshops are built by members, for their retail and hospitality cybersecurity practitioner peers. These regional events give you a chance to spend the day with top retail and customer-facing cybersecurity practitioners, network with your peers and walk away with real-world strategies for taking action on your cyber threat intel.

This year, the RH-ISAC will partner with three member companies to host workshops with content voted upon and delivered by leaders in each region. As an attendee, you’ll be an active contributor, asked to roll up your sleeves and dive in to the topics most relevant for you. Here’s a peek at the lineup of topics you’ll see:

On February 26, we’ll hold our inaugural gaming and hospitality cybersecurity alliance (GHCA) intelligence workshop, exclusively for member companies in the alliance. This workshop will focus on incident response, metrics, phishing and fighting SOC burnout.

Then, on April 16, Walgreens Boots Alliance hosts an intelligence workshop at Walgreens University for retail cybersecurity practitioners in the midwest region. Member discussion will focus on processing processes, metrics, board and committee KPI reporting and threat actor infrastructure mining.

And on May 9, we’re calling all Northeast/New England organizations to join us at PVH’s New York City headquarters for their workshop. This agenda will hold topics similar to the other workshops on threat actor infrastructure mining and processing processes, but will also explore social media as a reconnaissance tool, as well as improving the security posture of your organization with extra cycles.

Each workshop starts with registration, breakfast and networking at 8 a.m., with the program running from 9 a.m. to 4 p.m. A happy hour concludes the day, where you’ll be able to strengthen the relationships built during the day and continue the discussion.

We look forward to this lineup of events, coming to a city near you!

From Physics to Cybersecurity: An Interview with RH-ISAC Board Member, Scott Howitt

We recently interviewed RH-ISAC Board Member, Scott Howitt about his involvement with the RH-ISAC and his thoughts for its future. After several retail breaches of 2014, he knew he wanted to be part of the solution to safeguard organizations and their customers. He sees opportunities to use new technologies to better secure organizations.

 

RH-ISAC: Can you tell us a bit about your background?

Howitt: I did not start out in information security, I graduated from college with a degree in Physics at the end of the Cold War. All the physics jobs had evaporated, so I went into a programming internship at EDS. I programmed for a few years and then went into management. I eventually became a CTO and then a CIO. As a CIO, I learned that I really did not know much about information security and it was hindering me in that position. I took a job as the director of information security at a financial services company and never looked back. I found that I had a passion for information security and now I have been the CISO at two different Fortune 500 companies.

 

RH-ISAC: What’s your personal approach to leadership?

Howitt: … that we should be voracious learners. Our field demands that we understand how technology is used and is evolving, so we can stay ahead of it. It is our responsibility to teach our teams how to anticipate the needs of the organization. I also encourage collaboration. Highly diverse teams bring many different points of view to a discussion and they should be heard so that you can arrive at the best outcome.

 

RH-ISAC: Why did you become involved in your organization, and what has your involvement looked like over time?

Howitt: When I came to MGM Resorts International, I was looking for a new challenge. We are a highly diverse industry and we are constantly trying new things and reinventing ourselves. I truly enjoy the challenges that come with securing such a fast-moving industry—and I’m also happy to work for an organization that understands risk management. It is unrealistic to think we are going to have perfect security all of the time, however, it is important to understand where key risks lie and to constantly strive to improve security in those areas.

 

RH-ISAC: Are there any developments that have posed important new challenges to leaders of cybersecurity organizations?

Howitt: Technology is evolving at such a rate that it makes it very challenging to keep up with the pace of change. Information security leaders need to get out of the mode of reacting to new technology. We should embrace it and use it in our own organizations so we can understand it better. Robotic Process Automation (RPA) can help us with repetitious tasks, like access provisioning. BlockChain will likely be a good solution for machine or IoT identity. Machine learning will surely replace the SEIM.

Privacy regulation is also evolving, and information security will likely have to interpret the change and help organizations implement the technical controls that will support the new regulations.

 

RH-ISAC: Why did you join the RH-ISAC Board?

Howitt: In 2014, nearly every retailer was being breached. After two large retailers in Dallas were announced, I found out about the gathering of retail CISOs at the National Cyber-Forensics and Training Alliance (NCFTA). After the first meeting, I knew I wanted to be a part of something bigger than just my organization. The RH-ISAC represents something that is good for our industry and our consumers. Every income stratus needs to be able to shop and I believe it is our responsibility to safeguard their information. The RH-ISAC Board comprises individuals whom I respect and I believe we all have the same mission in mind.

 

RH-ISAC: How would you characterize the board’s role in the RH-ISAC?

Howitt: The board has two roles in my mind. The first and most important is to help organize and provide multiple forums that allow our members to share and collaborate. The website, the listserve and the in-person summits all provide communication mediums for however you want to collaborate.

 

Second, we need to anticipate where the industry is going and communicate that to our members so that they can be prepared for the change. Retail and Hospitality are rapidly evolving industries, and we need to help our members understand how they are changing and how to secure that change.

 

RH-ISAC: Where would you like to see the RH-ISAC head in the next few years?

Howitt:  I like the addition of hospitality and gaming to the forum. We are seeing the same threat actors, so there is much that we can share with each other. I would also like to see us bring in more online retailers for even greater sharing. I also hope that as we grow, we continue to see the development of comradery and friendship. You trust people that you know and the power of RH-ISAC is in the personal relationships it facilitates, and not just the organization itself.

 

The Results Are In! The RH-ISAC’s 2018 Member Satisfaction Survey

Retail and hospitality members: This one’s for you. At the heart of any membership organization is its members – and in an industry that’s as transformative as ours, we’re proud to do our part helping all of you make retail more secure. That’s why the RH-ISAC and its Engagement Committee launched the first annual Member Satisfaction Survey this fall, coinciding with the 2018 Retail Cyber Intelligence Summit. Our goals for the survey were simple: to establish a collective voice on behalf of our members to help guide direction for the future and ensure optimal value delivered to members.

The results, summarized in this post, were tremendously helpful. Your responses gave us added input to help validate future plans, consider new ideas and improve support. You also wowed us by showing us just how highly you value RH-ISAC membership – a whopping 93% would recommend membership to a peer. This is a powerful expression of our members’ commitment and loyalty, and along with other feedback, further served to remind us of how lucky we are to work with such a dedicated group of cybersecurity professionals. Thank you.

Now, on to the findings:

Respondents

The Core Member Survey received 82 individual responses. Strategic leaders comprised the majority of responses at 43%, with Security Ops/Mgmt the next majority group at 28%. Analysts represented 18% of respondents and 6% of respondents indicated responsibilities outside of the categories identified. Respondents represented 39 companies, or approximately 36% of Core members. This response rate is on par with other similar surveys conducted, and leaves room for us to capture feedback from even more members next year.

Member Engagement

We asked members to rate their own level of engagement as contributors in addition to their level of engagement relative to consuming intel and information provided. The results confirmed our assessment of engagement levels, showing that self-rated engagement as a recipient of information is a full point higher than engagement as a contributor.

Based on our measures, we know that approximately 43% of members actively share threat intelligence and a significantly higher number – more than 70% – benefit from participating in intelligence and best practice information sharing over email, chat, events, webinars, calls and other communication channels. For a membership  that’s just under four years old, a 70% engagement is something to be proud of. That said, the RH-ISAC team is committed to gaining even more ground overcoming barriers to increase sharing in 2019.

Committee Engagement

Member-led Committees, Task Forces and Work Groups are a hallmark of the member-to-member collaboration and collective group work that moves the needle for cybersecurity professionals in retail collectively. Top scoring groups included the Securing Retail Alliance (SRA) and Intelligence Task Force (ITF). Shout out to all of the members who participate as Chairs and participants in these, and in our and Gaming and Hospitality Cybersecurity Alliance (GHCA), Fraud and Franchise Committees – your dedication makes these groups possible!

Value Proposition

With average scores just under the top of the range for excellence, strategic leaders feel that the RH-ISAC value proposition is clear, understood and delivered upon.

  • Virtually every program, ranging from daily emails, webinars and the Summit, to listserv discussions, are mentioned as examples of significant value
  • The Retail ISAC scores extremely well on timeliness, content relevance and content quality

Where do we go from here? Key findings and plans for 2019

While we were pleased with the results from this year’s survey, our top takeaways reinforced the commitment that the RH-ISAC has made to delivering on our “by member, for member” promise. As we turn the corner into 2019, you’ll see several significant improvements and additions that speak directly to your recommendations:

Focus on information sharing – we’ll continue to focus on the ways that we can overcome barriers to increase intel and information sharing participation. We’re also enhancing our programs and how we communicate so that you get the information that matters to you when you need it. Look for these membership enhancements in 2019:

  • A new, standing quarterly discussion – How to maximize the value of your RH-ISAC member benefits – will be part of our 2019 Cyber Thursday line-up
  • Intelligence Workshops: this series of events is back by popular demand and includes content carefully crafted by members – find a workshop near you at https://rhisac.org/event/
  • New CISO invitational events: details at https://rhisac.org/event/
  • Threat Intelligence Platform evaluation and enhancements to streamline and simplify how you share intelligence

We’ll celebrate this year’s wins, hear updates and dive deeper into 2019 plans during an upcoming virtual RH-ISAC Townhall. Be sure to mark your calendars for this session taking place Thursday, January 31st from 12:00 – 1:00 p.m. pacific/3:00 – 4:00p.m. eastern, to learn more about plans for member working groups, events, programs and more.

The events calendar is already shaping up for 2019. Cyber Thursdays will be back, on the last Thursday of each month and additional webinars will be peppered in with more information you can use. If you haven’t already checked it out, you’ll find several workshops for members scheduled for 2019, including a GHCA Intelligence Workshop in February, and two additional intelligence workshops in the spring. The events calendar is located on the web at https://rhisac.org/event/ – register for Cyber Thursday webinars or find an upcoming event near you. And, don’t forget to the save the dates for the 2019 Retail Cyber Intelligence Summit in Denver – September 23-25.

The RH-ISAC’s most important benefit is sharing, and we look forward to 2019 and to facilitating greater sharing among all types and sizes of member organizations.