“If our designers, buyers and innovators are hamstrung by security in the pursuit of product development, they will either go around us or fail to produce expected outcomes,” writes Phillip Miller, Head of Infrastructure & CISO, Brooks Brothers—and speaker at the 2018 Retail Cyber Intelligence Summit. We recently asked Phillip to respond to a few questions about the Summit, his session and retail cybersecurity. This is the first in a series we’ll be bringing you from speakers and sponsors of this year’s Summit.
So, how can cybersecurity teams make a positive impact? Read on.
RH-ISAC: If you were given an extra hour every day, what would you do with it?
Miller: Read more. There is so much to be learned about successful retailing and merchandising.
RH-ISAC: What is the key point you want attendees to learn as a result of attending your session/why is it important to them?
Miller: When I got my first computer in 1981, it did not take me long to realize that there were as many opportunities to cause it to “fail” as there were capabilities for achieving useful outcomes. As chipsets changed, languages developed, peripherals became more advanced and computers became ever more connected, those ‘failure points’ expanded exponentially. I have always enjoyed chasing down those failure points, whether self-induced, caused by third-party code or by malicious attackers. My own skills developed and matured as the capabilities of the devices also grew; the essential skills of troubleshooting, understanding networking fundamentals and the knowledge of lower-level functions of a computer were absorbed and tested at a time in the past where outcomes were not valued higher than the experimentation that achieved them. I have great concern for our industry that we are not focusing sufficiently on core skills, nor giving our team members enough opportunity for exploration and testing theories. Reliance on “tools” and “managed services” at the expense—not the augmentation of—analysis and the scientific method is a threat to our effectiveness. There is most definitely a place for automation, artificial intelligence and machine learning, but the most successful cybercriminals understand those capabilities too, and have both skills and time to deploy—with everything to win, and little to lose. If we forget how to build, debug, analyze and ‘hack’ our own systems then we are creating unnecessary opportunities for those who seek to harm our organizations. I hope that in my session, people will gain a renewed interest in some of the basics, truly understand the value of an incident response plan, and have a very tangible understanding of how close the threats are.
RH-ISAC: Do you have a top tip for making a positive impact in retail cyber security?
Miller: Invest wisely. Retailers that are successful need three things: (a) a viable profit margin; (b) products the customers will purchase; (c) a compelling reason to be the merchant of choice. As security professionals we must ensure that everything we spend on is directly connected to one of these three objectives. If we unnecessarily burden the operating expenses and suppress margins, it doesn’t matter how secure we are. If our designers, buyers and innovators are hamstrung by security in the pursuit of product development, they will either go around us or fail to produce expected outcomes. Protecting our customer information without creating unnecessary friction sometimes requires creative solutions that don’t fit cleanly into a rigid compliance framework. Wise investments in people, process and technology will help you with your company’s overall mission and you will have made a positive impact. I would also suggest that openly sharing knowledge and ideas, being part of a community and not seeking personal gain or recognition will improve the outcomes.
RH-ISAC: Do you think there is a need to create a big change in retail cyber security? If so, how would you do it?
Miller: Yes, we need to consistently and fearlessly advocate for the consumer. Too often we are presented solutions by vendors that have excellent business solutions but lackluster security. When we approach them from a technical angle or compliance “miss,” we fail to help both the vendor and our internal stakeholders recognize the real risk. Instead we must, without using fear, uncertainty and doubt, explain from a customer perspective what the real risks are. Allow GDPR and the California privacy laws speak for themselves—focus upon the human side and stories that illustrate the real consequences of gaps in solutions. The free exchange of data of an API’s cloud connectors, file transfers, etc. poses a genuine risk but is not easily understood. Unsecured cloud-storage, weak password controls, excessive permissions in SaaS applications all contribute to the problem but are difficult to explain. As leaders in the information security business, it is a key part of our role to educate first and admonish only as a last resort. If we focus our efforts upon educating those who influence or determine future solutions, and do so from the position of a customer advocate, we have a greater opportunity for relevance and protection of customer information.
Join Phillip for Responding to a Payment Card Breach: Incident Response Planning and for the CISO panel: The Opportunities and Challenges of Outsourcing Security Operations and, if you haven’t registered for the 2018 Retail Cyber Intelligence Summit, check out the superb speaker lineup!