We recently sat down with Adam Hirsch, senior vice president of information security at PVH Corp., to discuss how he built his security program. When he started at PVH Corp. seven years ago, there were no formal security operations or risk functions. He had a five person security administration team spread across the U.S. and Hong Kong. Through his leadership, he’s built a security operations program that supports a global organization with thousands of employees around the world. He restructured the entire department and is implementing a culture of transparency to have visibility into all the security controls and tools. He has successfully retained many of his top performers and has grown his staff to be highly specialized in the field. Also, he built a number of strategic relationships across the organization to ensure the effectiveness of his security program.
His leadership changed the way PVH Corp. operates and made his company more secure through several initiatives.
We asked him questions across several different areas of a security program to help others understand how to build a holistic security operations program like he did at PVH Corp.
What are the key influences on the structure and nature of your security operations program?
It took us seven years to grow the program to where it is now. As our company matured, so did our security structure and capabilities. This allowed PVH to develop a security program that includes oversight and governance across all our businesses and IT systems, resulting in a balanced security culture throughout the organization. The program’s approach improved skills across the teams that support the security of our infrastructure and increased visibility across the organization.
Through our growth, we’ve been able to train our internal talent and develop skills to create a well-rounded and specialized team. In doing so, we’ve been able to add new cybersecurity capabilities while focusing on improving and refining the security operations program’s processes by leveraging threat intelligence and automation.
What is the scope of your security policy and what frameworks are helping you implement it?
We built our cybersecurity program around the NIST Cybersecurity Framework (CSF). We considered ISO 27001, but saw NIST CSF emerging as the industry standard for many U.S.-based Fortune 500 companies. Three years ago, PwC (PricewaterhouseCoopers) provided an in-depth assessment of our security program that is still being used to perform internal annual self-assessments. The PwC assessment leverages the CMM model to communicate the maturity of our program across the organization and to provide visibility into the effectiveness of the program
One thing to note is that NIST CSF is an assessment of a security program’s maturity but not an assessment of the security posture. The NIST CSF doesn’t tell you about the hygiene of the program regarding efficiency of risk/vulnerability remediation and incident response. You still need to develop separate metrics and KPIs that provide insight into the timeliness and trends associated with these areas.
If there was anything I would add to help with this process, I would add a Governance, Risk Management and Compliance (GRC) tool to map to other standards to demonstrate compliance with other standards and regulations.
What, in addition to budget, are key drivers in your outsourcing aspects of your security program?
One of the biggest drivers for determining when to outsource is figuring how to best leverage your current staff versus a services company. You must identify if is it more efficient to train and recruit certain skillsets or to outsource them. Based on the location of our administrative offices in NJ, we compete for talent with the many large companies in state, as well as companies based in NYC and Philadelphia. It would be a huge challenge to staff a 24x7x365 security operations center (SOC) with the right blend of staffing and tooling. We have chosen a hybrid model with a fully managed endpoint detection and response and SOC service, complemented by our in-house Tier 3 incident response and intelligence team.
One area that we will always keep in house is our strategy, policy and risk management team. It is critical that our in-house staff be the drivers of our security strategy. Consultants will never understand your company’s business, culture and risk tolerance the way an in-house security team will. Your security strategy must be closely aligned to your business in a manner that a consultant or services company will not understand. There are a lot of gray areas in security, and figuring out what level of risk your company and corporate leaders are comfortable is key to your program’s success.
Outsourcing is great tool to augment in-house staff and to enable a security program with specialized security talent. By outsourcing, we can focus on what we are really good at and can bring in outside teams to collaborate with. We use outsourcing to round out the skills and tools gaps on our team, supplementing our in-house talent.
We are interested to see the implications of the changing workforce environment due to the COVID-19 pandemic. Companies are starting to realize that employees can work efficiently from anywhere in the world, causing a change in how organizations staff and build in-house teams using more remote workers.
How do you find, select, recruit and retain the talent necessary for an effective security program?
Talent requirements for our team have evolved as our program has matured. NIST CSF helped us figure out our operations team’s capability and process gaps, which required us to determine what skill sets we had on our team and what skill sets we needed. Additionally, we’ve trained our team members to be more specialized as the team has grown in size and maturity.
We also evolved our philosophy about who to hire. Instead of focusing on specific roles, we look for the specific personality traits, a passion to learn and inquisitiveness. For our operations team, we look for people who are self-starters, passionate about cybersecurity and team players. We also look to build a well-rounded team, each with unique skills sets, while cross-training them on the other skills they’ll need in their roles.
In order to help retain our talent, we have implemented several cultural changes. We try to create a family-type environment for our staff. We are flexible with work from home and paid time off, and if there is ever a personal issue, we make sure to support the employee as best we can. PVH also encourages team outings, including team building activities, staff luncheons and monthly manager lunches. One of the most important changes we have made is working on a development plan for each member of our staff. We make sure manager have regular conversations around career development and help to find continual training opportunities, whether it’s free or paid. We expect that all members of our staff are taking both technical and soft-skill training to ensure their personal and professional growth.
What are the core tools/capabilities (open source or commercial) necessary for a new security program?
We’ve picked our tools based on how well they integrate with each other. Ultimately, if you have tools that work better together, you can detect and respond to threats faster. Integrated tools and solution suites help optimize administration and operational oversight, which help make your security environment more efficient. We’ve found that having “more tools” isn’t necessarily always better, just as having all best of breed products that don’t integrate doesn’t mean your environment is more secure.
When evaluating tools, we’ve found the best way to do so it to collaborate with others in your industry. The RH-ISAC has been extremely valuable in that aspect. Through the RH-ISAC, I’ve been able to talk to several peer CISOs on what they are using, how they deployed it and any pitfalls we should look out for.
What were/are the critical peer/partner affiliations essential to the success of your security program?
RH-ISAC is essential to growing, maturing or maintaining a security program. The RH-ISAC Summit is one of the best events at RH-ISAC because of the closed-door roundtables with other CISOs to discuss best practices.
Other partnerships that have been critical are local CISO events and conferences. These help to build relationships with local peers to reach out to when you have questions. I also think having a mentor can be extremely beneficial for the success of a security program. RH-ISAC has facilitated some of those relationships, including Jim Cameli, VP and global CISO at Walgreens Boots Alliance, and Colin Anderson, global CISO at Levi Strauss & Co. They have been great sounding boards for various issues and situations I have encountered over the years. My organization was able to sponsor a paid coaching program for me, as well.
Another tip for building a security program is to be comfortable asking questions of your peers, both inside and outside your organization – it’s OK to be vulnerable and admit you don’t know something. This will help you build trust with others and ultimately enable you to have open and honest conversations with them, knowing that they won’t put you in a compromising position.
How would you answer this question regarding your overall security program development experience: “Knowing what I know now I would…”?
Joining the RH-ISAC from day one has provided us so much benefit and value to our security program. Being able to collaborate and connect with peers on best practices or what they are currently working on has helped me to improve our program.
Outside of joining RH-ISAC, relationships within your company are key to your overall success. Corporate politics are a big part of every organization, and knowing and understanding them is vital to creating a successful security program. If you understand your business and the pulse of the organization, you’ll be better able to create a successful security program.
A big part of becoming a partner to your business is becoming the voice of “yes.” Security is too often thought as being an inhibitor or often saying “no” to new ideas or strategies. I have instilled a culture of “yes” within my team. The word “no” has been replaced with “yes and you can do it by doing X, Y, or Z ….” Providing solutions and the pathway for delivering on their strategies has changed the way our department interacts with the rest of the organization and has made a positive impact on our program overall.
About Adam Hirsch
Adam Hirsch is the senior vice president of information security at PVH. Corp. In this role, he manages a global information security team responsible for preventing, monitoring and responding to information/data breaches and cyberattacks. Adam is responsible for the global information security strategy where he develops and maintains policies that identify and evaluate risks organization wide.
With over 20 years of experience in the security industry, Adam has worked in information security leadership roles in retail apparel, international banking and professional services firms. Prior to PVH, Adam worked for KPMG US where oversaw the security architecture and incident response teams for KPMG’s internal security group. He has served on the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) board of directors since February 2019. Adam holds a Masters in Information Assurance from Norwich University and Bachelors in Management Information Systems from Yeshiva University. Adam also holds multiple certifications, including the CISSP, CISA, PMP, and other technical certifications.