Four months ago, the Javits Center in New York City was bustling with more than 40,000 people attending the National Retail Federation (NRF) 2020 Vision: Retail’s Big Show. Navigating retail innovation across four incongruent floors covering 760,000 square feet – with a 15-story glass-enclosed Crystal Palace high and wide enough for endless imagination – seems insignificant now, to the new reality retailers face: a future that has been caged in by the steel pillars and geometric beams of the iconic building, which now serves as an emergency field hospital designed to treat coronavirus patients.
The collective vision companies had for the industry – to use technology and data to personalize the customer experience with seamless integrations between the physical and digital worlds – has been obscured by a global pandemic. Front-line employees that were reimagined as next generation store associates who could provide tech expertise and consultative advice on new products and services, have been furloughed. Emerging business models, such as retail as a service, that were realized as IoT-connected stores and boutique showrooms designed to facilitate mutual learning between companies and consumers, has been replaced the urgency to buy only essential items in the few stores that remain open. Curated experiences that were intended to be highly personal opportunities to build brand loyalty no longer exist in a world of physical and social distancing. Point of Sale (PoS), meanwhile, had been evolving as the ultimate consumer accommodation that could happen anytime, anywhere: in-store, online, through brand apps, digital wallets, and even selfie wallets.
The idyllic balance between these in-store and digital experiences, as a means of connection and convenience, has been disrupted by a public health crisis that has accelerated our immersion into the digital world. What was a hypothetical question at the NRF conference – am I a retailer or tech company? – now has an immediate existential meaning: who do I need to be in this moment? The transition to remote work has expedited companies’ digital transformation, whether they were ready or not, and has put increased emphasis on independently developing digital capabilities, which is already complicated by a growing skills gaps and talent shortage. This is especially true for information security teams – typically strapped for personnel and resources – that are responsible for protecting customer and company data, but now under a new set of circumstances: online-only shoppers and work-from-home (WFH) employees.
These information security teams are now responsible for a much larger remote workforce, and as new devices are added to corporate networks, pressure on virtual private networks (VPN) increases, as do the risk of cyber threats such as business email compromise (BEC), phishing campaigns, malicious spam, and ransomware. Companies may also see an increase in ecommerce and digital skimming threats as the sale of online purchases continues to grow.
RH-ISAC members represent the retail, hospitality, and travel industries that have been significantly impacted from COVID-19, but they have also benefitted from an extended network of cybersecurity professionals who are fighting the same fight. Not only are members sharing information on threat actors and tactics, techniques, and procedures (TTPs) in real-time, they’re also asking each other questions on how to navigate this new WFH world – and receiving helpful and insightful support from their peers.
This year, we launched our Research and Education Department as a part of our strategic plan, and with the support of the RH-ISAC board of directors who believe that benchmarking is instrumental for the community, while education and training can help alleviate the workforce shortage. Our program enables leaders to measure program efficiency among peers and use the insights to communicate more effectively in C-suite and board discussions. We also offer strategic and tactical learning opportunities that allow members to develop talent and gain the necessary experience to mature their programs. Here are the initiatives we have slated for 2020.
Research: Our CISO Benchmark Taskforce is the governing body that helps us design, develop, and execute a holistic benchmarking program. This year, we have several research projects:
- As a complementary survey to our 2019 CISO Benchmark study, we have launched a similar survey to our new members from the Travel ISAC. The enriched information will help CISOs understand how primary responsibilities and team composition compare to industry peers with similar company demographics. It will also help CISOs demonstrate the business investments needed to support information security priorities.
- We’ve partnered with Deloitte to assess members’ readiness and response to the California Consumer Privacy Act (CCPA), of which different parts of regulation have gone into effect January 1 or will go into effect July 1.
- For members interested in third-party domains and digital risk, we’re working with Cofense to assess how members identify, detect, and mitigate the evolving phishing threat landscape.
- For members with ecommerce interests, we’ve partnered with the Media Trust to scan websites for third-party code on all payment and transactional sites and identify associated risks.
Education: Talent maturity and workforce retention are critically important for information security teams, whether they are looking to build long-term learning programs or practical tradecraft application.
- The RH-ISAC Intel Team has developed a custom curriculum for analysts within Cybrary, our partner for online cybersecurity education. All Core Members are eligible for a 15% discount on a team subscription, which enables teams to assess and measure security skills and develop corresponding learning objectives.
- Once a month, during Tradecraft Tuesdays, member analysts demonstrate technologies, methods, and best practices for using open source tools within their security toolkit.
Training & Exercises: Simulating real-world scenarios that test and assess how people, processes, and technologies respond to a cyber incident, allow members to experience their worst day in a safe space with peers and mentors. Several exercises we have planned for 2020 include:
- A 4-hour cyber response simulation at the IBM X-Force Command Center will immerse SOC leaders, directors, and CISOs in a “fusion team” environment, where they are guided through a series of cyber-attacks.
- A 2-4 hour virtual capture-the-flag exercise will allow SOC analysts and incident response practitioners to “think like an adversary” and use open source tools in a gamified environment with mentors.
- A 4-hour threat hunting workshop will take place during the week of the RH-ISAC Cyber Intelligence Summit in September and introduce methods and threat data sets for understanding TTPs for eCommerce and digital skimming attacks.
If COVID-19 has shown us anything, it’s that adjusting to the world as it spins requires a delicate balance of prioritizing immediate needs and pursuing future goals. We can only walk so far into the horizon without first leaning on our peers and partners to help us stand where we are, in this moment. It is a time when our health and safety precautions include the need for better cyber hygiene as well. And for those who need the strength of many right now, the RH-ISAC is offering a 90-day complimentary membership for retail, hospitality, and travel companies to join our active intelligence and information sharing community. We hope you join us.
For more information, contact [email protected].
