Implementing a Cyber-Security Program - The Journey of True Partnership with IT
Over the past 7 years, Mattress Firm has been one of the hottest retailers in the world increasing their store count from over 750 stores to over 3,500 stores resulting from both organic growth and acquisitions. As is the case with many fast-growing organizations, it is sometimes a challenge to make sure that infrastructure and programs keep pace. In 2014, our Executive Management and Board of Directors recognized the need to address cybersecurity due to the high-profile cases making headlines, many in retail, which can create regulatory, legal, and brand reputation damage.
While our company did not have personal health information or payment card data, we held millions of records of payment card transactions and personal information including addresses, phone, and email addresses. Due to the average ticket of each sale and the highly promotional business of financing within the furniture business, our business was transacting more than 80 percent of our overall sales with either credit card transactions or credit financing.
Our Starting Point
Our starting point was, simply put, no staffing; no roadmap; and no cyber-insurance. Our first step was to create a governance structure for cybersecurity. To ensure top-level support of the organization, the Cybersecurity Governance Council reports directly to the Audit Committee of the Board of Directors. The council is a cooperative effort led by the Senior Vice-President of Enterprise Risk and Chief Information Officer. The relationship between these two functions was dependent on the overall success of the program. Quickly the CIO and I had determined that this function should be split, in that Cyber Security would report directly into ERM (Enterprise Risk) to ensure independence for governance and budget purposes however that ITS would have oversight on implementation of certain aspects of the overall program. A lot can be said for that relationship, as we were equally invested both strategically and operationally to see the program succeed.
Get the executive support, have a good partner in IT who is aligned with you, diagnose your business and fully understand it
To assess our most critical exposures, our management team conducted a table top exercise that included four scenarios to help us identify our most crucial exposures. Immediately, we made the decision to replace aging firewalls with “next gen” firewalls for border protection and to roll out OpenDNS for web-filtering, botnet detection/prevention, and implement additional malware detection.
While taking these initial first steps, the governance council decided to adopt a five-level maturity model to help us assess and plan our efforts over the course of a multi-year journey to excellence in cyber. We settled on the CMMI framework used by many government organizations:
Finally, we knew it was important to begin reporting on cyber to the board-level on a regular basis to keep the issue “front and center” and to also make it clear how many more exposures needed to be addressed, lest the organization believe that our initial actions solved all of our problems.
Creating an On-going Program
As we entered year two of our program, we also adopted the NIST Cybersecurity Framework to guide our tactical efforts. It is important to note that the steps in this framework are concurrent and continuous; it is not a serial path.
In year two, we made aggressive progress on both IT Systems and Enterprise Risk Management. Some of our key actions in each domain included:
Enterprise Risk Management
• Integration of Human Resource systems into network security
• Established formal IT security function
• Identify resources for automated server patching
• Established formal security awareness program
• Implemented single sign-on/two factor authentication for specific apps
• Selected outsourced SOC vendor
• Rolled out thin clients to stores eliminate 1,000 of PC’s as endpoints
• Assigned CIRT team and coordinator to support incident response and recovery
• Implemented sandboxing of email attachments and URL’s
• Established process for all employees to attest to cyber policies on annual basis
Additionally, we established a cybersecurity assessment process to include annual penetration tests, quarterly vulnerability assessments, bi-annual advanced persistent threat detection engagement, weekly anti-virus efficacy review, and vulnerability assessments on new server build.
After the conclusion of our May Board of Directors meeting I was tasked with the duties of buying our companies first ever Cyber Insurance. Not an easy task especially considering that I was 1) not well versed in the world of Cyber Insurance 2) we were just beginning to look at how we were going to get the cyber program initiated and started. Again, I leaned on my partners from ITS to help engage what we needed to do. I knew that I could handle any of the insurance market dynamics however how would I present the technical aspects of explaining routers, servers, and anything else IT related? The answer was simple–IT would present the technical aspect and I would explain the operational functionality of our business. This ended up being quite the success story although our first year rates were not favorable. It gave us a starting point, we had insurance and now the bigger task at hand was implementing what we had told our Board and carriers what we were going to do.
Following the first years implementation of more than 30 projects we entered the insurance markets in 2017 with solid roadmap that had been implemented along with the additional efforts for 2018. We saw drastic reductions in our premiums after year one as we finally had all stores on one POS system and were operating at a more sophisticated level.
Current State and Go-forward
Today, we are in a cyber risk management position that is approaching the higher end of the maturity model, but we would not, by any means, say that our journey or efforts are complete. Alone in 2017-2018 we have more than 37 initiatives that we will be rolling out to the organization including aggressive training, more robust monitoring tools and an even more adequate business continuity and disaster recovery plan.
My advice to readers of this article is simple, get the executive support, have a good partner in IT who is aligned with you, diagnose your business and fully understand it (be honest with yourself and organization), put together a robust strategic plan, know that the road to success is a jog before a sprint, and most of all have fun with the implementation. It can sometimes be frustrating and overwhelming starting a new program but for the benefit of the organization it is well worth the while.