Skip to main content
close search
site logo

To fend off attacks, CISOs share threat information. Even with competitors

The ever-present cyberthreat in retail is forcing CISOs to talk to each other, even if they're competitors.

Published Jan. 21, 2020
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Rich Agostino, SVP and CISO of Target Corporation, Dave Estlick, CISO ofChipotle and Adam Mishler, VP and global CISO of Best Buy
National Retail Federation

NEW YORK — After a data breach, companies have to clean up their mess, pay settlements, and restore customers' trust.

But if a company is as popular as Target is, shoppers remain loyal. 

Target's 2013 data breach wasn't the first major data breach, but it was "significant" because it introduced a new threat to retail, said Rich Agostino, SVP and CISO of Target, while speaking at the National Retail Federation (NRF) conference last week. 

Target's breach recovery didn't end with remediation; it needed a sustainable security model that included active information sharing. Ever-present cyberthreats in retail are forcing CISOs to talk to each other, even if they're competitors. 

Agostino is part of the Cyber Twin Cities Cybersecurity Coalition, which includes seven other companies headquartered in Minnesota, such as Best Buy and General Mills. "We didn't go to an organization" and pay sponsorship fees — the coalition was self-formed, said Agostino​.

How to start the conversation 

Having seen the other side of a data breach, Target knows what is required for remediation and maintenance.

"We brought all critical functions in cybersecurity in-house to reduce our reliance completely on contractors [and] managed services," said Agostino. After bringing cybersecurity experts in-house, the team has filed for at least 10 patents. 

The retailer also has a cybersecurity center where team members are monitoring the threat landscape. But the retailer knows a sustainable security model isn't confined to Target's walls. Bad actors repurpose their attacks; one retailer's threat is every retailers' threat.

Retailers are all fighting the same adversaries, if one company knows how to avoid a cyberthreat, it's in the best interest of other CISOs to learn from it, said Dave EstlickCISO of Chipotle, while speaking on the panel at NRF. "Security is not a competitive advantage." 

CISOs connecting with other CISOs, whether in a formal capacity or on a text chain, is vital. In times of crisis, such as heightened cybersecurity alerts, collaboration can't be reserved for incidents post-mortem.

"Too often what happens is we find ourselves back on our heels or reactive," said Estlick. "Crisis is not the time to try to figure out what level of information are you going to share." 

Estlick recommends reaching out to CISOs or companies who have already solved their business's problem and determining the following:

  • Does your business share information? 

  • If yes, does your business already have an information sharing plan or reporting hierarchy?

  • What level and what kind of information are you willing to share?

  • If you're not a security professional, should you have a security conversation on behalf of the brand? 

Resistance to talk

Information sharing in cybersecurity can feel taboo, though it's widely encouraged.

Companies are concerned about liabilities if they share information that's not entirely accurate or incomplete, said Agostino. But weeding through what is and isn't appropriate to share among CISOs is fairly simple. 

There are two different kinds of information sharing: tactical, threat data and "more strategic benchmarking," Agostino later told CIO Dive. Strategic information sharing usually outlines how a CISO is funding their team, what tools are they using or how are they recruiting talent. 

Information sharing is a lifeline for companies without the resources or bandwidth for constant threat analysis or data collection. "I hear [smaller organizations] say, 'we don't have anything to share,'" said Agostino. His response is, every company will know something someone else doesn't — bad actors replicate attacks across targets. 

A company sharing an "indicator" externally is a "simple gesture" that could save a company from a phishing email-turned-data breach, said Agostino. 

Filed Under: Security, Leadership

Editors' picks

Company Announcements

View all | Post a press release
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Viz.ai Wins Prestigious Prix Galien USA Award for Best Digital Health Solution
From Viz.ai
November 12, 2024
Newgen and Fadata Join Forces to Optimize Insurance Content Management
From Newgen Software
November 13, 2024
PointFive is Apparently the Hottest Cloud Startup, Here is Why
From Jordan Mitchell
November 21, 2024
Editors' picks
Latest in Security
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell