Target and Toys R Us posted overall sales declines during the holidays.
Big thefts of consumer data from major retailers underscore the risk retailers run if they don’t pay close attention to security. That has to be the responsibility of a top-level executive focused on protecting data.
If the Target and Neiman Marcus security breaches taught us anything, it’s that for retailers there’s no better time to get serious about data security. Retailers today are collecting everything from transactional data to shirt color preferences, not to mention large sets of data as part of potential Big Data initiatives. While these data points can help boost personalization and improve customer experiences, they also stand as prime targets for hackers targeting personal data. With retailers collecting more data than ever, the cost of a hack is too high for any organization to ignore.
While all companies agree that data security is important, many lack a full understanding of their security vulnerabilities, and therefore can’t implement an effective security system. Many choose to focus their attention on external threats, but too few consider the danger of breaches by a trusted third-party vendor or worse, internal threats.
And while chief information officers have the funds to install firewalls to prevent external hacks, they often lack the resources and direction needed to implement internal security measures. IT budgets must fund myriad needs and wants, including point-of-sale systems, e-commerce infrastructure, databases, and more. Protecting data from internal users is where retailers often fall flat, yet the most common cause of a security breach is human error, with 36 percent of data breaches in 2013 stemming from inadvertent misuse of data by employees. Therefore, retailers need to focus not only on securing external threats, but also on securing the human to prevent internal threats.
The question is, who should champion these necessary security measures?
IT is the natural choice. But with competing projects and budgets, IT often falls short of implementing programs beyond the basic requirements.
CIOs are the next choice, but they’re already bogged down with implementing, maintaining, and upgrading inventory management, e-commerce tracking, order management, database management, e-mail marketing, business intelligence, and other business initiatives. These functions are crucial to keeping a retailer up and running, and therefore guzzle up the majority of a CIO’s budget.
Marketing? Surely chief marketing officers suffer from the unwanted media attention around security breaches (contrary to popular belief, some PR is bad PR). But despite a vested interest, few CMOs have the skills and knowledge to implement an effective system. If retailers really want to get serious about their data security, they have to start at the top.
The CEO is the only stakeholder with the funds and ability to allocate money to internal data security measures and create a culture of security. Plus, he or she has the most to lose in the case of a high-profile security breach.
Instead of adding more money and responsibilities to IT departments, the CIO or the CMO, it’s time for retail CEOs to create a new role, one we’ve seen popping up at several security-focused retailers: the chief information security officer (CISO). While a relatively new position, CISOs are becoming more vital in retail organizations, serving as the primary guardians of a company’s data, technologies, and assets against internal and external threats.
The role has several broad functions, but the CISO’s ability to manage the risk of internal and trusted partner threats can be one of the most beneficial. In this capacity, CISOs are responsible for analyzing data to reveal current best practices and uncovering a retailer’s baseline security. Through these internal reports, the CISO can unearth all data accessible by users and create a security framework that protects the business and its data. CISOs spearhead the implementation of new security initiatives and run company-wide training to ensure employees understand the new security measures.
By dedicating a C-suite position to improving existing security policies, retailers can better protect their highly sensitive data stores from internal threats.
Retailers need to dedicate more resources to data security, especially internally. As more high-profile breaches occur, the value of top-notch security measures will grow more apparent. But it can’t be left to the CIO to ensure data security. CEOs need to enter the security battle with a knowledgeable CISO to lock down sensitive information and prevent data heists.
This article was co-written by Raj Thukral, vice president of infrastructure and development at Pythian, a provider of data management consulting and services.