NEW YORK — After a data breach, companies have to clean up their mess, pay settlements, and restore customers' trust.
But if a company is as popular as Target is, shoppers remain loyal.
Target's 2013 data breach wasn't the first major data breach, but it was "significant" because it introduced a new threat to retail, said Rich Agostino, SVP and CISO of Target, while speaking at the National Retail Federation (NRF) conference last week.
Target's breach recovery didn't end with remediation; it needed a sustainable security model that included active information sharing. Ever-present cyberthreats in retail are forcing CISOs to talk to each other, even if they're competitors.
Agostino is part of the Cyber Twin Cities Cybersecurity Coalition, which includes seven other companies headquartered in Minnesota, such as Best Buy and General Mills. "We didn't go to an organization" and pay sponsorship fees — the coalition was self-formed, said Agostino.
How to start the conversation
Having seen the other side of a data breach, Target knows what is required for remediation and maintenance.
"We brought all critical functions in cybersecurity in-house to reduce our reliance completely on contractors [and] managed services," said Agostino. After bringing cybersecurity experts in-house, the team has filed for at least 10 patents.
The retailer also has a cybersecurity center where team members are monitoring the threat landscape. But the retailer knows a sustainable security model isn't confined to Target's walls. Bad actors repurpose their attacks; one retailer's threat is every retailers' threat.
Retailers are all fighting the same adversaries, if one company knows how to avoid a cyberthreat, it's in the best interest of other CISOs to learn from it, said Dave Estlick, CISO of Chipotle, while speaking on the panel at NRF. "Security is not a competitive advantage."
CISOs connecting with other CISOs, whether in a formal capacity or on a text chain, is vital. In times of crisis, such as heightened cybersecurity alerts, collaboration can't be reserved for incidents post-mortem.
"Too often what happens is we find ourselves back on our heels or reactive," said Estlick. "Crisis is not the time to try to figure out what level of information are you going to share."
Estlick recommends reaching out to CISOs or companies who have already solved their business's problem and determining the following:
Does your business share information?
If yes, does your business already have an information sharing plan or reporting hierarchy?
What level and what kind of information are you willing to share?
If you're not a security professional, should you have a security conversation on behalf of the brand?
Resistance to talk
Information sharing in cybersecurity can feel taboo, though it's widely encouraged.
Companies are concerned about liabilities if they share information that's not entirely accurate or incomplete, said Agostino. But weeding through what is and isn't appropriate to share among CISOs is fairly simple.
There are two different kinds of information sharing: tactical, threat data and "more strategic benchmarking," Agostino later told CIO Dive. Strategic information sharing usually outlines how a CISO is funding their team, what tools are they using or how are they recruiting talent.
Information sharing is a lifeline for companies without the resources or bandwidth for constant threat analysis or data collection. "I hear [smaller organizations] say, 'we don't have anything to share,'" said Agostino. His response is, every company will know something someone else doesn't — bad actors replicate attacks across targets.
A company sharing an "indicator" externally is a "simple gesture" that could save a company from a phishing email-turned-data breach, said Agostino.