Introducing the Practitioner Mindset Series – Interview with a Cybersecurity Professional: The RH-ISAC is on a mission to bring you useful content, fresh perspectives, and modern-day cybersecurity wisdom. Join Jennifer McGoldrick-Stenberg, membership and operations director, in this series of deep-dive discussions to find out what makes leading cybersecurity minds tick, which strategies win, and how we can all take action to overcome common industry problems.
“It is better to be a warrior in a garden, then a gardener in a war.” As a cybersecurity professional, chances are you’re familiar with parallels drawn from the wisdom of ancient military strategist, Sun Tzu, with the tactics and techniques of cyber warfare.
To kick-off this new series, I sat down with Grant Sewell, manager of global information security at The Scotts Miracle Gro Company. As a recently appointed RH-ISAC Board Director, the conversation was a great opportunity to pick Grant’s brain on a swath of issues related to retail industry sharing, challenges, and what lies ahead. Grant draws on 13 years of experience in information security and cyber intelligence, leveraging experience gained at Fortune 500 financial firms, government, nuclear energy, and now consumer product manufacturing to flavor his perspective on the evolution of intelligence and cyber warfare.
Q. Over time, we’ve seen a shift in the corporate mindset toward a heightened focus on and prioritization of the cybersecurity function. How important is cyber security to Scotts Miracle Gro’s business strategy?
A. As a consumer products manufacturing company, our customers are our priority. Our job is to make products, but the focus is on managing our operational risks. We’re also evolving our manufacturing processes and modernizing our supply chain, which benefits the business greatly and reduces our operational risk, but also has the potential to expose us to increased cyber risk. Cybersecurity is a priority for our Board of Directors. The Board understands that proactively addressing cybersecurity risk is critical to maintaining resilient operations and are very supportive of this work.
Q. Scotts Miracle Gro doesn’t fit the traditional retail mold. Why did you decide to become a member of the Retail ISAC?
A. The short version is that we wanted to be a better partner to our retail customers. As a supplier to other member companies, we’re cognizant of the strengths and potential risks inherent to the nature of our partnerships. We’re committed to running a strong security program and helping however we can. By sharing information within the RH-ISAC we deepen those relationships and enhance the confidence our customers have in us.
Upon becoming members, we quickly realized that the threats we thought belonged to us were shared threats. The visibility we gained helped deepen our understanding of the threats we’re facing and opened our eyes to the sheer volume of threats we face as an industry. We bring a unique vantage point with our understanding of the full scope of the retail supply chain – from supplier, to manufacturer, to retailer.
Sharing among competitors is one of the biggest roadblocks, but it comes down to the fact that security threats are everyone’s problem. We’re all members of the same ecosystem. If we can work together to formulate solutions that provide better protection for customers and stop security threats, then we’ve won. It’s not about competition; it’s about building a unified approach to protecting our customers.
Q. Which emerging threats and cybersecurity risks are you focused on this year?
A. For us, it’s the threats that surface as technologies and business models evolve. We’re expanding our product lines to meet the changing needs of our customers. How can we make it possible for the customer living in an apartment in New York to plant a garden? These products leverage lawn and garden technologies that introduce sensors, irrigation, and the cloud. We’re looking at the new layers of data that emerge along with these technologies and prioritizing how we protect it.
Q. Earlier, you shared a little bit about gains you’ve made with the support of a Board that understands cybersecurity risk as a holistic component of organizational risk management. What advice can you offer to other retailers on how to articulate the impact of cybersecurity investments on business revenue?
Take a pragmatic approach to the risks you’re facing.
Our board wants to know that we’re producing product and getting it to retailers. Operational feasibility is important, so we’ve taken a logical, step-by-step approach to increasing our ability to secure our environment.
Enable your business partners.
We take a ‘user-first’ approach to cybersecurity. Our risk-based methodology to decision-making, process development and solution design ensures that we implement security controls that support our business goals and protect our partners from threats.
Give the board an honest perception of the threats your company faces.
We make a point to bring our executive leadership together and share real examples of threats. Then we walk through the process of how we protect the ecosystem to improve understanding and decision-making rationale. This builds our leadership team’s confidence in our security program and illustrates how our approach to cybersecurity is unified with our overall appetite for risk.