This article was first published in the Winter 2014 issue of Speak
The frequency of security threats is growing – and fast. Whereas major security breaches in the retail industry previously made the headlines once or twice a year, there are now major announcements on a weekly basis and, in future, those headlines are likely to occur daily.
Certainly retailers must implement solutions, such as malware and data encryption software, to protect all devices on the store floor, but it is imperative that the industry looks beyond POS protection to an all-encompassing approach. Companies like Intel and Microsoft are now encouraging retailers to deploy intrusion detection solutions, better protect their data centres, and as a basis of these three broad approaches, address their security culture. Not only do they need to train employees about security, they also need remove the stigma attached to having the word ‘security’ or ‘technology’ in a job title.
Today, it is apparent that an enterprise’s first response to a security breach is to replace the CIO, the CSO, or any of the staff responsible for preventing such attacks. While this may be necessary in some cases, more often than not it is detrimental to both the employees and the enterprise. In addition to the company losing its best assets, it remains defenceless against further cyber attacks while both the new executives and team adapt to the management changes.
Think of it like this. A football team may experience a few losses early in a season, but this does not mean that replacing the manager is the only way to reach the playoffs. While bringing a new manager into a well-established security team may appear to be a good short-term fix, it is more likely to lower morale and stifle any momentum for the ongoing deployment of security solutions. When they are faced with new environments, employees can become fearful and play it safe, rejustifying every plan and re-finding their place within the hierarchy. According to psychologist Bruce Tuckman, new teams must pass through the ‘forming, storming and norming’ phases before they are able to perform to a high standard, which takes time. During this adjustment period, defences are weakened and the organisation is exposed to more intrusions.
Unless a breach can be directly linked to the failure of a leader, it is more beneficial
for a strong manager to remain in their post and work to identify the weaknesses that caused the breach, before developing strategies to overcome these issues. This ensures that the overall team becomes more skilled and less likely to make the same mistakes in future.
Imagine if companies were to investigate the breach and determine that the best way to maintain their commitment to protecting their customers’ financial and personal data was to increase their investment in the same security team and leaders that have tirelessly worked towards that objective for the past five years. The next security intrusion headline could read: ‘Retailer to support their existing security team after last week’s breach’.
Paul Butcher is a retail industry strategist at Intel
Share this story