Since the retail security breaches of 2014, the retail security sector has received much more interest in how it is handling its security, and its people, process and technologies. Sitting in the central London office of UK high street powerhouse M&S, head of information security Lee Barney talked to me about the changes he has overseen since he took the job in 2015.
With a background in retail and senior level security management, Barney now manages a team of 40 people based across two locations. Following a recent recruitment drive, he acknowledged that almost every retailer he had worked at “compares itself to retailers internationally”.
He said: “I’ve spent a lot of time in retail and I like it, which is strange, as it is the hardest place to do security properly! You really need to sell your changes before you can make them, as there is no automatic buy-in to security.”
“It doesn’t matter where you are, as retail businesses have been around for a long time – M&S has been around since 1884– and in that time we have seen two world wars, seen the Cuban Missile Crisis, seen terrorism begin and expand to its current form, we’ve seen so much and been part of a choppy global dynamic and we’ve seen the business expand into global territories. We’ve seen risks and although people say they are potential problems, the business has seen them off and it is still here.”
Barney admitted that security is “taken incredibly seriously here”, and more so than he had seen anywhere else he had worked, mainly as the brand is of upmost importance and if anything impacts the brand, it will get everyone’s attention.
As the Target breach impacted the company’s technology, I wanted to get an understanding of how Barney saw the state of security technology in retail. He said he was less concerned about the security technology that we have and more about the people, specifically in the way that M&S works.
The problem, according to him, is that credit card processing technology is 40 years old, as it is attacked frequently, and attacks are seen on infrastructure to get access to credit card data.
“Target was a real game changer for cybersecurity. It was the ‘eureka moment’ when senior executives realized the business case for investing in cybersecurity. The return on investment became more obvious to retailers – avoiding litigation fees and fines.”
Looking at the 2013 Target attack, I wanted to know how much this shook up the typical retail CISO. Barney said that it did impact everyone and not just UK, US or European retailers, as the attacks are not that sophisticated, but a good CISO will see anomalies as there was historic equipment in place and they were not up-to-date in regards to thinking about security and investments.
So is there a problem across retail security that old technology is still there and being used? “Old technology is in every business, and if anybody tells you otherwise they may want to take another look,” he said.
“We use mainframe systems as every business does, but the main thing that M&S are good at is taking big and bold decisions to use new technology, and that is why we accept Apple Pay, and were one of the first to do it. That can cause you problems as if you are on the vanguard of change, you don’t know what is there to trip you up and it is very easy for those businesses behind you to step over you.”
“The thing is that security is not that hard, there is a baseline of things but it is not hard to get the basics right and more often than not, attackers are looking for the basics to be wrong.” Barney said he had made steps to improve the security resiliency within the company and in particular hiring ambitious experts who find new solutions to problems. He said he has introduced a gamification concept into the daily work, especially regarding his ethos of detection and response.
“We have a blue team, or cyber operations team, and they look for changes against the baseline and look at all the systems and all of the network and web platforms. If the number of attacks goes up then it tells us that we are detecting it, but it if goes down when we don’t expect it, it may be that an attack has been successful and is no longer being picked up.”
“To make them do that, we have a red team and we pit them against the blue team and 50% of their day job is to sit outside the perimeter and attack their way back in. Every time they achieve a hack, they get points. Based on competence and capability, they get a number and at the end of every week those numbers are added up and the highest scorer gets a day off. The blue team can try and capture their points and if they win, they earn the day off.”
Barney said his team enjoys working in this type of environment. “It is a career progression from the blue to the red team as they shift focus to detection from prevention, and we do ‘promote’ people.”
The team of 40 in Barney’s department combine a range of ages, and he said that the opportunity with the younger staff is to make use of people who know about technology, which often comes naturally to them. However, while they may know Windows or iOS, the new generation has been built up with so many expectations on what the work life actually is, and Barney said that it doesn’t manifest itself in reality. “You bring them down to reality gently and the reason we do all these things is for this purpose, you have to come to work,” he said.
“One of my great passions is getting security to be more recognized and diverse, as it is considered to be a subsection of IT and I do see a problem with not enough women in cybersecurity. Simply put, 50% of the population is female, so why are 50% of the cyber team not female?”
“M&S is very diverse and has a very good gender balance, but 30% of my team is female and I want to make that better. I look for female candidates and compare them to male candidates, and hire them as appropriate for the job, but I need to see more women coming forward and going into the industry.”
Barney said that it is about getting someone who is right for the role, particularly as he is doing something with detect and respond that is not commonplace, and you cannot lift those skills off the shelf, so time is spent training analysts to make sure that they do have those skills.
As one of three ex-army men in his department, Barney said he does see CVs from people with a military background, but as there are so few people in the military who do a typical security day job due to outsourcing, he believed that the true cyber offensive capabilities do not exist yet, and those who do get full time jobs end up working in government departments.
Barney added that he wants to track the best candidates, but often it is about realizing that a career in cybersecurity is an option, and until then, we are missing out on those candidates who would make great employees.
“I’d rather have good people across the country, than have the greatest technology that we spend a fortune on that will eventually go out of date,” he said. “People don’t go out of date if you invest in them. Technology has its place, but the people who filter it are human beings at the end of the day. Until we have artificial intelligence, people are our greatest asset.”