These are challenging times for the nation’s chief information officers — and speed is of the essence.
An annual survey of global CIOs found that digital innovation is actively causing disruption to business models, requiring IT leaders to move quickly to deliver new infrastructures, platforms and applications to meet customers’ fast-changing needs. An overwhelming two-thirds of all CIOs believe digital disruption is now a very significant change to business, according to the “Harvey Nash CIO Survey 2015,” done in association with KPMG.
And while last year’s survey suggested that chief marketing officers (CMOs) were owning and leading the digital agenda, the 2015 survey detected a change in the wind. It described a “boomerang” effect, with IT organizations either collaborating with the CMOs or taking on the responsibility for themselves. Forty-seven percent of respondents claimed shared ownership of digital by IT and marketing, up from 40% last year.
Digital Officers: In a revealing statistic, there has been a significant increase in the number of chief digital officers appearing on the IT landscape. Almost 1-in-5 CIOs now work with a chief digital officer — up 7% from last year. An additional 5% report that hiring is underway for a digital officer.
“What’s most striking about the results is the speed of change,” said Albert Ellis, CEO of Harvey Nash Group. “In the 17 years we have conducted the survey, we have never seen a new role grow so quickly as we have the chief digital officer. We have never seen demand for a skill expand so quickly as we have for big data analytics. As technology increasingly becomes focused on the customer, the IT, marketing and operations teams are increasingly working together in new ways.”
The survey finds the role of the chief digital officer varies by companies. In companies where the position exists, only 47% have the designated digital officer take full leadership of the digital strategy. The remaining companies prefer to have the CIO, CMO or CEO take the lead.
In other key findings:
- Retail CIOs responded that nearly 7% of their companies’ annual sales are spent on IT.
- Over half (56%) of CIOs believe the most important component of successful digital activity is having an IT infrastructure that allows greater innovation/agility, alongside using digital to create new revenue streams (56%), and using mobile platforms to engage with customers (54%).
- As in previous years, software development and data centers remain the most favored outsourcing functions by CIOs. However, demand for software application development is falling, while data center demand is growing. Networks and software maintenance outsourcing seems to be going out of fashion. Both have seen steady declines over the last six years.
Where NOT to Store Financial Data
One of the best ways retailers can make both their financial data and store systems more secure is to reduce potential vulnerability by removing financial data from the store.
“Take any credit card data out of your store systems,” advised Perry Kramer, VP and practice lead for Boston Retail Partners. “Most retailers don’t know what’s on their systems or their risk profile. You need a good inventory. Some data you might keep.”
According to Kramer, most major retailers are now getting credit card data out of their systems using tokenization, or the replacement of customer financial data with digital identifiers called “tokens.” The financial institution processing the transaction then “detokenizes” the data once they receive it. Hackers who steal tokens from a retailer’s network would not have access to any actual customer data.
In the past several years, the development of Unified Commerce (UC) systems that connect all retail channels in real time have allowed retailers to strategically leverage tokens across channels.
“If you assign a customer a token for an e-commerce transaction, you can use it again in the store,” said Kramer. “One token follows the customer within the retailer. It’s driven by Unified Commerce and wasn’t possible until four or five years ago.”
Another development in the past several years that has opened new possibilities for retailers looking to eliminate the need to store customer financial data is the introduction of separate payment systems.
“Retailers are pulling payment out of the POS,” said Kramer. “Payment is encrypted on swipe, coded at the payment terminal and decoded at the bank. There is no longer payment data entered into the POS. The retailer has no key; the key is at the bank. If the retailer is hacked, it won’t give exposure.”
In addition, some retailers are now settling payments with banks as they are captured, in or near real time. This avoids the need for batch settlement files.
“If it ties, it flies,” Kramer commented.
However, Kramer cautioned that performing this type of advanced secure payment processing requires that retailers stay current with the latest hardware and also keep their staff educated.
“If you haven’t done so, re-evaluate your staff and your store systems team,” said Kramer. “They should collaborate with the security team.”
Although this level of payment security will also increase operating expenses, Kramer said retailers may be able to recoup some of the cost through lower cyberinsurance. Finally, he gave some important advice for retailers that may try to simply extend the security they used for fixed POS to mobile POS.
“You have to plan and test mobile POS security,” said Kramer. “You have to do it twice.”
The October deadline for retailers to accept EMV (Europay, Mastercard, Visa)-compliant, chip-based payment cards or face increased fraud liability has placed payment card security in the industry headlines. While important, securing card-based payments at the store is one small facet of the huge undertaking retailers face in protecting their entire network.
For retailers, the broad concept of “security” encompasses specific areas, such as store systems, supply chain, financial data, third-party partners and the enterprise as a whole. In addition to preventing breaches and other harmful incidents, retailers that want to enact a truly comprehensive security plan must also include steps for detecting and remediating intrusions, as well as maintaining operational consistency during a response.
And the looming arrival of next-generation network technologies like quantum computing may create significant changes in the security landscape. But since EMV has been such a hot topic as of late, let’s start with a closer look at it.
EMV: As of Oct. 1, 2015, any retailer that does not have EMV-compliant hardware, software and operational and network protocols in place will be liable for fraud resulting from transactions with chip-based payment cards. The cost and effort required to achieve compliance with this mandate, as well as the potentially enormous resulting liability for non-compliance, has made EMV the retailer security topic du jour. Yet achieving EMV compliance is only one piece of the security puzzle, and not necessarily a vital one.
“EMV compliance is not as imperative if you don’t sell fenceable goods, such as luxury items or gift cards,” said William P. Freed Jr., manager, public affairs and issues for Visa Inc.
Tom Litchford, VP retail technologies, National Retail Federation (NRF), had similar thoughts.
“The liability shift is not a hard date,” said Litchford. “It’s mandated by card providers from a risk-management business perspective. Whoever is least secure has the liability.”
Most large retailers, such as Target and Wal-Mart, will have complied or come close to complying with the EMV mandate by the October deadline. For other retailers that have further to go (or haven’t started), Freed recommended using a qualified integrated reseller. However, he cautioned that resellers may present security vulnerabilities of their own.
“A lot of hackers are targeting resellers and integrators that are not using security best practices,” said Freed. “Some are using common passwords for remote maintenance practices.” Litchford said retailers embarking on EMV compliance need to determine such factors as whether they will use self-service or traditional POS, customer prompts and screen displays, and how checkout speed will be impacted.
“No matter what, start with customer experience,” advised Litchford. He also recommended retailers seek terminals that can walk customers through EMV-compliant transactions, as high cashier turnover will limit the help associates can offer, and study software specifications.
Freed and Litchford agreed that EMV compliance ultimately only protects payment card data at the point of sale, and does not prevent data breaches in other parts of the network. In addition, other countries that have implemented widespread chip-based secure payment card transactions have observed a resulting significant increase in online transaction fraud, which both experts expect to happen in the United States.
Network Integrity: In their intense focus on EMV compliance, retailers often fail to see the forest of the network for the trees of the POS. Craig Spiezle, executive director and president of the Online Trust Alliance and former director of product security and privacy, product management for Internet Explorer at Microsoft, said retailers need to understand POS security is part of a much larger effort.
“Retailers have looked at the POS and other individual network components as discrete, isolated silos,” Spiezle said. “Systems are interconnected. You compromise one, you compromise all.”
Spiezle cited the 2013 Target breach, which originated with the dedicated remote access of a third-party HVAC vendor being compromised, as an example of how an intrusion at any point in the network subjects the whole enterprise to risk.
“It’s a Titanic of a problem,” Spiezle said. According to Spiezle, retailers can eliminate a lot of potential security vulnerabilities by establishing firm administrative controls for their networks.
“A firewall is as good as how it’s secured and configured,” Spiezle said. “Default settings are not properly considered. Security is not in the four concrete walls of the store. Where is the data? Who has access and administrative privileges? Are the same credentials used for the salesforce also used internally?”
Thus, retailers need to make sure they follow security “basics,” such as revalidating data access when an employee is promoted and not reusing passwords.
“Too many people have broad global access,” Spiezle said. “You need to reduce the attack surface.”
Spiezle also offered some advice on how retailers can better identify when a breach has occurred, and ensure they remain in operation while compromised systems are remediated.
“Outside the firewall, data loss prevention technology can be added on top of large packets of data and detect unusual traffic,” explained Spiezle. “It acts as a ‘surge protector’ and will block traffic if there is too much activity, and prevent incidents before they become catastrophic.”
In addition, Spiezle said retailers should conduct a security audit of all third-party vendors, just as they would to verify factors such as price and service levels. And since criminals will often hold onto stolen credit card data for months as they attempt to boost its value by correlating it with other personal consumer data, retailers cannot wait until credit card data shows up on black market websites to determine if their customers’ information has been compromised.
“Look at log data regularly,” said Spiezle.
“Often, retailers only look once a problem is detected, which is too late. It’s like in-store security videos, which are only checked when there is a problem, but should be reviewed regularly or monitored in real time.”
Finally, retailers need to ensure they can still operate normally in the event systems go down due to a security breach.
“There need to be backup systems and copies of server software to mirror things, so there is redundancy,” said Spiezle.
Supply chain visibility: In the past few years, retailers have increasingly been turning to RFID technology to help them obtain an accurate, real-time view of their supply chain. While this provides the underpinnings of distributed order management and other omnichannel activities, it can also deliver substantial back-end security benefits.
“Security is usually, but not always, a second-order use case for RFID,” said Justin Patton, director of the RFID Lab at Auburn University. “Usually RFID is phased by category — you might start with jeans and then move on to basics.”
Patton said the typical value delivered by RFID is that you can count items much faster and more accurately without needing a direct line of sight to the items being counted.
“You can verify that a case of jeans has 20 pairs or a rack of shirts has the right number quickly,” said Patton. “RFID provides shrink visibility. It allows you to immediately know what items are missing and how many, so you can identify loss at a lower cost.”
As opposed to electronic article surveillance (EAS) tags that alert retailers when unpaid items are going through the store door, but not what items or how many, RFID tags provide exact information.
“You may not want to chase someone in the parking lot for a pair of flip-flops but would for a $600 handbag,” commented Patton. In addition, RFID offers a real-time visibility portal into any chokepoint in the supply chain, such as a warehouse or an offload from a delivery truck. Exception reporting can let a retailer know if items are missing.
“A direct store delivery route might cover 12-15 stores in one day,” said Patton. “An error at the first store causes problems at the end of the route. Real-time RFID tracking of what’s being offloaded prevents mistakes that can compound.”
RFID also provides retailers with valuable real-time data that can be analyzed to prevent theft before it happens. For example, if a customer brings a large number of RFID-tagged DVDs into a dressing room, the retailer can be alerted about a possible shoplifting event and then intercept the DVDs before they leave the store.
Furthermore, Patton said RFID offers upstream authentication capabilities that secure the supply chain against questionable goods.
“Each RFID tag has a unique serial ID, unlike a barcode,” said Patton. “You can ask suppliers to preshare the ID, preventing counterfeiting and stolen goods. You can also identify products that might originate from sources that do not comply with environmental or worker safety standards.”