This blog is part of Protiviti’s CISO Next Initiative. To learn more, visit us.
Emerging from an unprecedented year that presented arduous hurdles to overcome, consumer products and retail companies confront a formidable cluster of unique information security challenges. Overcoming these obstacles requires chief information security officers (CISOs) to do more than ply their technical proficiency. They also need to elevate their communications and creative problem-solving skills.
Crafting and marketing a compelling business case for sufficient information security resources requires understanding the unique obstacles and emerging trends in the consumer products and retail industry that could pose future challenges, and implementing leading practices deployed by the industry’s most effective CISOs.
At the same time, CISOs in consumer products and retail companies have a valuable opportunity. They can borrow a page from their marketing colleagues and engage ambassadors to achieve a more sophisticated, more proactive brand of information security which can be used in all interactions with fellow executives, board members and the rest of the organization.
The CISO role is a tricky one, regardless of industry. Information security leaders are rarely the ultimate arbiters of pivotal decisions that affect cybersecurity made throughout the business, yet they’re ultimately on the hook for managing cybersecurity risks. Within the consumer products and retail sector, information security capabilities tend to become bogged down due to one or more of the following factors:
- Cybersecurity skills are scare. Organizations in all industries compete over an insufficient supply of information security talent. However, smaller and less digitally mature consumer products and retail companies are at a more pronounced disadvantage when it comes to competing against larger, more data-advanced enterprises for these skills.
- The sector has historically lagged other industries regarding IT and cybersecurity investments. This is a concern because attackers increasingly target data that can be monetized easily, such as the consumer data retailers possess, and also because new data privacy regulations will certainly continue to emerge worldwide. Many consumer products and retail organizations, given their subpar IT maturity, remain focused on consolidating their existing systems – and these reconfigurations give rise to new security risks that require mitigation. Another factor: The cybersecurity expertise on corporate boards in the sector tends to lag other industries, which may contribute to the underinvestment in technology.
- IT and cybersecurity budgets remain tight. Over the past year, there was uneven performance among consumer products and retail organizations. Some grew and thrived during the COVID-19 pandemic, while others struggled. Retailers with mature e-commerce capabilities tended to perform better while many of their less advanced peers struggled as they scrambled to adapt to the expectations of newly remote customers. The latter group of companies remains understandably hesitant to open up the checkbook to invest in new cybersecurity skills and technologies, while even some of the most successful organizations remain cautious given the relative uncertainty of the year ahead.
- The omnichannel shift poses security risks. The pandemic accelerated the advance of e-commerce and the related move to omnichannel transactions across many industries, not just retail. Social distancing gave rise to new acronyms like BOPIS (buy online, pick-up in store) and sped up evolutionary curves, including those within consumer products companies making the direct-to-consumer (DTC) leap. More customer data flowing through more channels means more data security and privacy risks. In addition, many retailers increased adoption of Internet of Things (IoT) devices, such as sensors, without adequate controls, which adds to their business risk.
In addition to clearing industry-specific hurdles, CISOs must keep tabs on several developing trends that could pose additional challenges. First, as noted earlier, new data security and privacy regulations are almost certainly on their way, and some may be sweeping in nature (e.g., a U.S. version of the EU’s GDPR). Second, digital transformation is just revving up, and its impact on the consumer products and retail supply chains will be profound. Within a few years, inventory forecasting and communications with value-chain partners will be automatic. Third, as is the case in all industries, consumer products and retail companies continue to expand their work with third-party cloud and technology vendors. This growing reliance ups the ante on third-party risk management activities related to data security and privacy.
Despite that imposing mix of challenges and contingencies, leading CISOs are making progress on cybersecurity improvements by taking concrete actions, such as:
- Communicating information security in business terms. The most effective CISOs we work with articulate information security matters in business terms. They lead conversations by noting how cybersecurity risks affect the business and the bottom line. These CISOs remind their fellow executives that managing cybersecurity is a business responsibility, and not solely the responsibility of the CISO.
- Presenting to the board. CISOs who have the opportunity to speak directly to the board tend to garner more support and larger security budgets compared to those who leave board-level cybersecurity reporting to the CIO. Within companies with the most advanced information security programs, CISOs tend to present to a committee of the board – a skill that can and should be honed – on a quarterly basis.
- Cultivating C-suite relationships. Successful CISOs nurture credible, collaborative relationships with C-level executives. The chief operating officers (COOs) and chief marketing officers (CMOs) are especially important cybersecurity influencers within the consumer products and retail sectors. COOs tend to oversee supply chains, a crucial source of cybersecurity risks. CMOs have leveraged advances in data analytics and customer experience management to become prime drivers of technology investments. We’ve also seen leading CISOs work closely with chief human resources officers to develop innovative approaches to recruiting and retaining information security professionals.
- Standing up a recruiting program. Talent management innovations in the security community include establishing on-campus recruiting pipelines. While new graduates from a growing number of university cybersecurity programs are highly sought after, it’s important to keep in mind that this talent segment needs polishing – primarily through exposure to difficult business dynamics in real-world situations. Some CISOs have also devised innovative professional development programs focused on retooling IT talent in their companies with cybersecurity skills.
As consumer products and retail industry CISOs find their footing as cybersecurity ambassadors, even more of this type of creativity will be needed.