We recently interviewed RH-ISAC Board Director, Ken Athanasiou, Vice President and Chief Information Security Officer, AutoNation, Inc., about his involvement with the RH-ISAC and his thoughts for its future. He feels that cooperation and communication are vital if retailers are to be successful in combatting organized crime and nation-state actors.
RH-ISAC: Can you tell us a bit about your background?
Athanasiou: Sure, I’m ex-military having spent 13 years in the Air Force first as an enlisted troop working on the Minuteman II intercontinental ballistic missile nuclear weapon system and then, after I earned my commission, I spent almost six additional years as a communications officer working on satellite command and control, running a base network control center, and then doing operational test and evaluation on the B-2 Bomber stealth weapon system. After I left the service, I spent several years working on information security in financial services as a BISO (business information security officer), and doing some consulting before I joined American Eagle Outfitters in 2008 as their CISO. I moved to AutoNation as their CISO in August of 2014.
RH-ISAC: What’s your personal approach to leadership?
Athanasiou: Primarily it’s ensuring that the team knows, and buys into, the strategic vision and the tactical steps required to move toward that vision. The tactical steps though I drive with a situational leadership approach, as everyone requires something a little different in order to succeed and you have to know an employee’s readiness level for each task and adjust your style from directive through delegating.
Knowing how someone thinks and understanding the differences between how you think and how they think is also critical to being able to communicate and lead effectively. You must have insight into your strengths and weaknesses and learn those of your team. Creating a diverse team with synergistic strengths and weaknesses is critical to success.
RH-ISAC: Why did you become involved in your organization, and what has your involvement looked like over time?
Athanasiou: I am a builder. I enjoy creating order from chaos and moving teams up the maturity scale. Once I get to the point where I have a mature, fully functioning team that is driving risk within an organization to an acceptable level, I end up doing nothing but troubleshooting the occasional bumps in the road. At that point, I want a new challenge. That said I also have a strong sense of ownership and can’t stand leaving a job half done.
RH-ISAC: Are there any developments that have posed important new challenges to leaders of cybersecurity organizations?
Athanasiou: The threats to the industry are constantly changing and evolving. . .at one time, retail was primarily concerned with kids defacing websites, then it was individuals stealing credit cards, then it was organized crime doing everything from stealing cards, to stealing identities, to account takeovers and using mules to move goods out of country. Now even retailers have to be aware of the upcoming threats of nation-state adversaries looking to influence and/or impact retailers that are competing against retailers in their home countries.
RH-ISAC: Why did you join the RH-ISAC Board?
Athanasiou: As a founding member of the board, I was dismayed at the lack of cooperation and communication between retailers. The bad guys were sharing all sorts of information between themselves about what was working and what wasn’t working, which vulnerabilities were easy to attack and how, and much more. But retailers weren’t talking to each other. . .the mindset, “they’re a competitor; we can’t talk to them about anything” was crippling us. This was, obviously, not the right way to succeed and we had an easy template to follow with the financial services industry’s cooperative efforts. I felt, and still feel, very strongly that we must cooperate and communicate, or we will not be successful in combatting the organized crime and nation-state actors that are threatening us.
RH-ISAC: How would you characterize the board’s role in the RH-ISAC?
Athanasiou: Vision and guidance: we have some very smart and experienced members on the board that all have great passion about this industry and this career field. Each of us is convinced that information sharing and cooperation is the right thing to do—and we have strong opinions on how to do that appropriately and effectively. We all also have full time day jobs and significant demands on us, so we depend on the RH-ISAC leadership to flesh out those visions into practical and effective functions and processes, and to execute on those.
RH-ISAC: Where would you like to see the RH-ISAC head in the next few years?
Athanasiou: We just spent a day-long session talking through the direction and vision of the RH-ISAC and came up with a number of exciting opportunities and possibilities. The RH-ISAC is definitely headed in the right direction toward greater and more efficient collaboration (both within RH-ISAC membership and with external organizations), more automated, timely and relevant intel and threat sharing, and growing our membership base by providing more and more value to all type of retailers: big, medium and small.