#NRF2020: How Target bolstered its security after retail’s biggest breach

Three chief information security officers (CISOs) took to the stage at NRF in New York on January 13 to discuss collaboration and the skills gap in retail cybersecurity.

Rich Agostino is the senior vice president and CISO at Target Corp, a retailer which, as he points out, “is mentioned in every single talk on cybersecurity in retail”.

In 2013, Target suffered a data breach largely touted as the largest in retail history. “It was far from the first data breach, but it was significant. It was the introduction to a brand new threat to our industry. The way we saw threats before 2013 and after 2013 is very different.”

Agostino painted a picture of the modern day cyber threat: Advanced cybercrime organised teams who are persistent and evolving every day. “They’re not sitting in the basement hoping you do something wrong, they are actively looking to build new tools to exploit companies and are willing to invest for months at a time on potential victims.”

When Agostino joined Target in 2014 in the wake of the breach, he had to think not just about how to fix the problem from 2013 and move on, but “how to build a long-term strategy that is sustainable knowing that threats will continue to evolve and persist, and building a defence that will evolve with that”.

Agostino shared the measures taken by Target in wake of that fateful breach. “We hired hundreds of industry experts in retail, financial services, defence contractors from the government and more than doubled the size of the team. We bought all critical functions of cybersecurity in-house, reducing our reliance on contractors and outsourced services.

“We launched new capabilities like our cyber-fusion centre, where 24 hours a day, seven days a week we have Target team members looking at, monitoring and defending our company against threats.”

In addition, Target built a strong engineering function and filed for more than 10 patents on security technology which the retailer’s engineers have built over the years.

Target believes in appointing security advocates across the company. “The talent benefit is that you have a wider network of pseudo-cybersecurity folks,” explained Agostino.

Collaborating to fight against cybercrime

“One of the most important things we’ve done though, is to prioritise the concept that security is a team sport. We are all stronger together and our customers are safer when we all work together to fight cybercrime.” 

Agostino is not referring to his own team exclusively, but to CISOs and security teams from different retailers coming together to share best practice and advice. He discussed a coalition that Target, Best Buy and others have formed to work together and collaborate with intelligence sharing and talent pipeline development.

Adam Mishler is the VP and global CISO for Best Buy. He explained what collaboration means to him: “It’s about working together as CISOs and talking to industry peers about what we’re doing and how we are addressing and tackling threats.” Networking and collaboration between retail CISOs is both on a formal and informal level, he said, explaining that many texts will go back and forth requesting advice and problem-solving together.

Dave Estlick is the CISO of Chipotle. He talked about the importance of encouraging people to work in cybersecurity, referring to the significant and ever-increasing skills gap facing the industry. “We have an advantage already because we’re the only function in IT that Hollywood writes movies about. We need to get people to understand the path and help other technologists understand that their critical background can be leveraged for a career in cybersecurity.” Rather than looking for formal education or qualifications in cybersecurity, Estlick is instead seeking people that have analytical skills and can solve problems.

“As an industry, we have to be prepared to train and build people,” added Mishler.