Ascena Retail Group: A Case For Community And Finding Strength In Numbers
Security Leaders Should Focus On Robust Information Sharing, Says Retail CISO
Ascena Retail Group, Inc. (Ascena) is one of the largest women’s specialty retailers in the world. Some of its brands include Ann Taylor, LOFT, Lou & Grey, dressbarn, Lane Bryant, Catherines, and Justice. With around 58,000 associates who work in stores, home offices, distribution centers, and international locations, keeping a company of this stature secure is no easy feat.
Enter Mark Tomallo. Tomallo is the Chief Information Security Officer (CISO) for Ascena and his teams are responsible for all cyber, compliance, information security, governance, and risk management functions.
“One of the great things about this organization is there's a lot of support for cyber security and the protection of data, throughout the organization. And I would say, starting from the board to the audit committee to the executive management to the lines of business — all are incredibly interested in protecting our customer data,” says Tomallo.
And while he notes that they may not be 100% sure how to do it — they may not understand the dark web or all the intricacies and the complexities that go on in the underground supply chain — there is “phenomenal support” for the IT teams that work on the how, on a day-to-day basis.
Falling Into Cyber Security
Tomallo’s background is the culmination of 20 years of information security experience along with running technology start-ups, large corporate security teams and M&A’s, which has allowed for a unique perspective on protecting the enterprise (no matter what size).
He has held leadership positions at Cardinal Health, a Fortune 15 health information services provider, medical products manufacturer, and pharmaceutical distribution company as well as Cisco Systems and AT&T EasyLink. Tomallo also serves as an advisor to multiple technology and service companies and was recently a finalist for the FAIR Institute’s Business Innovator award.
Tomallo sort of fell into the cyber security industry. While owning his first business, he was working on a Y2K programming project and was asked to do some rudimentary forensics to investigate an employee who was out on vacation but a large check not from his employer was found on his desk. In short, it turned out that the employee was shaving off bandwidth and storage of the company to run the largest porn site in North America.
In his twenties at the time, he had full access to the CIO of this organization, met with the CEO a couple times, partnered with the FBI, and also helped reveal an insider trading scheme. “And I was just sitting there thinking, ‘If this is security, I am in!’” recalls Tomallo. And from that moment he was hooked.
“So, we definitely fell into that project, but then we specifically decided this is an area where we really want to focus on,” he says. After that, Tomallo landed some computer forensics projects, contracts with governments, three-letter agencies, and some large entities that do investigations with credit cards.
Is Cyber Security Maturing?
Tomallo says that we – as a security industry and as security professionals – can always do a better job communicating. And getting buy-in is always part of the job description – either buy-in from the business, or your boss, or any executive challenging forward movement.
Further, the exposure and visibility of risk and cyber has never been as focused on and scrutinized as it is right now. And where does that come from? The board of directors, audit committees, lawsuits, Yahoo, Equifax, Wyndham … “Those are tens of millions of dollars of damages those organizations had to pay because their board of directors, or a director, or an executive was sued,” adds Tomallo. However, he says that it has been an evolutionary process. “The maturing in the retail industry went from just PCI compliance to, ‘How protected are we in other areas of the business and what are we doing outside of our transaction networks?’”
Part of an organization's mission is to protect data. Whatever the industry regulatory oversight – PCI, FDA, HIPAA, etc. – compliance naturally comes with it, though this hasn’t always been the case. “Ten to fifteen years ago, the focus was making sure that data was backed up, general controls were in place, and the company was not getting sued,” says Tomallo. Companies in industries without a regulatory reporting process chose not to invest beyond “reasonable security controls and processes”. The lack of accountability came back to haunt them over time as security incidents and breaches occurred, causing a resurgence in the security field.
The Need For Security Risk Compliance With Emerging Technologies
A good thing about the security, risk, and compliance industry is that the technologies are standardized. From endpoint protection to monitoring and transport visibility, there's generally a correlation and aspect logging capability. For fraud detection, you can go all the way back into the data center and walk through scenarios.
Newer technologies worth investigating further include the Internet of Things (IoT) and artificial intelligence (AI). “And so, like most companies, we are investing in and deploying Big Data-type solutions to understand the baseline activity within the organization in advance of automating with AI.”
Certain industries have been slow to embrace AI, including healthcare, retail, and manufacturing. “AI has been a buzz word for a few years, though companies in these sectors are not yet making the investments,” notes Tomallo who also did a stint at a venture capital firm. “Numerous companies within healthcare, retail, and manufacturing are engaged with the supplier and vendor community to experiment with machine learning components but it’s the vendors and suppliers rather than the enterprises, which are leading the innovation today. What does machine learning and deep learning look like in our industry?” asks Tomallo. “Only time will tell.”
The retail sector is ripe for the intelligent automation that AI technologies deliver. A key asset of retail is the size and scope of data that it amasses. “The security industry is a great field for any vendor that wants to test its worth,” says Ascena’s Tomallo. “We see 1.7 billion events a day. How you analyze those events and get to the actionable data is where the rubber meets the road.”
Robotic process automation (RPA) is another interesting class of technology benefiting incident response applications. “RPA offers different use cases that can be applied to various pieces of a security framework, from audit to identity management and from access management to the security operation center,” remarks Tomallo. Often incorrectly lumped into the AI discussion, RPA utilizes scripted software “bots” to perform highly repetitive and mundane tasks, such as data capture and validation.
Applying this type of automation to security events is core to initiatives such as the Security Orchestration, Automation, and Response (SOAR) solution stack. The term, attributed to IT research and advisory firm Gartner, refers to compatible software programs that collect security threat data and provide response to low-level incidents without human involvement. “Security engineers spend a good portion of their time researching and coordinating security event data,” notes Tomallo. “With all the data in one place, they are at the tipping point of making an intelligent, informed decision.”
The orchestration and automation aspects of the framework are both legitimate and incredibly needed in incident response. Personnel are freed to address subjective and complex situations not addressable by today’s automation and enable staff to escalate issues with a high level of confidence.
Understanding The Needs Of Your Organization
Compared to the broad security landscape that has existed for thousands of years, cyber and information security are still relatively immature. Learning, implementing, and evaluating new approaches and processes is a vicious cycle that sometimes leads to cyber professionals becoming their own worst nightmare. “We talk too technical and often need to put our security speak into terms that the business understands,” says Tomallo.
And there will be times in operating the enterprise business where something goes really, really bad. Are you prepared? “This is where a lot of companies struggle,” concedes Tomallo. “What's really helped me is conditioning and having that conversation around risk.” Several tough questions can be asked in anticipation of the unknown:
- What do we care about at this organization?
- Is it okay that we have these records in this system?
- Are the important records and data sufficiently protected?
- How do I know when I have enough controls; can I take protection away?
- How is access from the internet managed?
- How do we know who has access to these records?
Enterprise security teams generally do not obsess about calculating risk. But consistently communicating risk within the organization is a tremendous growth area for most security teams. “The communication of security is a misstep with this fledgling industry,” says Tomallo. “Over the course of my career, especially early on, there were times that I simply did not understand the business context of what we were dealing with.” As an industry, Tomallo believes it is maturing and getting better at asking more intelligent questions and understanding the business context and consequences.
A group of Ascena’s non-IT executives and a couple technical members of Tomallo’s team held an incident response training summit. Everyone in attendance rolled up their sleeves, understood this was a working session, and what needed to be done to ensure support for teams running incident response efforts. It was training that simulated ransomware, a data breach, an insider threat, and a physical security issue combined with typical IT system and store-level issues. The team had to quickly separate what information was relevant and needed to be dealt with, or the scenario continued to escalate. The scenario also showed social media and traditional news media coverage of the issue, including a press conference and statement from one of the executives. The Ascena team received great praise and feedback from the vendor running the response scenarios.
But they also realized that, “communications between teams could be much tighter and better choreographed,” according to Tomallo’s account. While the security and legal teams are often tied at the hip having spent time together, other functions were not as familiar with each other’s standard operating procedures, which led to minor delays in decision making. Depending on what was taking place, minutes do matter. Focusing on efficiency and having conversations that ensure Ascena was ahead of what can be controlled was very important. Should Tomallo call the CEO earlier in the process? Will the CFO be inundated with alerts if he chooses to be on a certain distribution list?
Those ancillary conversations – called “triggers” at Ascena – define who is picking up the phone and making the call when an incident occurs. Alerts and preventative technologies are increasingly common for incident response. “You need to have visibility in order to have a real incident response,” says Tomallo. “Industry statistics demonstrate the progress. The time to detect an attack is decreasing. The number of third parties notifying organizations they have a serious incident are decreasing as well.”
Data shows that companies are indeed getting better at incident detection and response, but there's always room for improvement. How important is incident response planning to Tomallo? “If I don’t do something, something bad will happen!” His twenty years of business experience coupled with the risk model, the risk calculation, and the drive for consistency, helps keep him grounded.
It is not uncommon for business units or departments to avoid interacting with security teams. They expect to be judged and told, "That's too risky. We cannot do it." With the proper planning and utilizing probability models and estimation techniques, Tomallo says security can confidently tackle any challenge. “It changes the conversation with the business. You tell them, ‘That's awesome, let's do this’ and they’re floored having never had security be so positive before.” It comes down to working alongside the business and helping it run faster.
Nontraditional Workforces To Address The Talent Gap
Attracting the right talent that appreciates and values the partnership approach is another area that Ascena’s Tomallo has witnessed success. To bridge the communications gap, the company seeks nontraditional work forces, such as individuals who may not have chosen the college career path or students that chose a field of study outside computers and engineering. “A teaching or psychology background, for example, is very beneficial for creating security education and awareness programs that appeal to non-technical personnel. People still need to learn about security hygiene, and we have found that training shouldn’t come from the security expert.”
The skills gap is real and Ascena is fortunate to be part of a mature security market in Columbus, Ohio. Dating back 20+ years ago, some of the first online services, such as CompuServe, were headquartered in Columbus. CompuServe was eventually acquired by AOL and the fledgling internet drew several telecommunications companies to Columbus. Government partner Battelle and early B2B commercial software company Sterling are other examples of Columbus-based organizations with an emphasis on data security.
Cyber Security Meets Community-Building
“In retail, the different security teams talk on a consistent basis,” says Tomallo. “Columbus is an incredibly tight security community where Ascena, LBrands, Abercrombie & Fitch, and others will visit and share trends. Factor in DSW, Big Lots, Cardinal Health, AEP, Nationwide Insurance, Scott's, and Ohio Health all in the same region, and you have a community that helps each other. We’re all chasing the same thing.”
Tomallo notes that as a CISO and executive leader, information sharing must be robust. The threats witnessed by Ascena’s security teams are not unique to its operations. “In the government, sharing of sensitive security information can be detrimental to the mission. We’re not in that industry.” Tomallo recommends that every CISO should take an active role in their region to meet with other CISOs, executive leadership, in addition to legal partners. “The old mindset of keeping everything close to the vest, and not disclosing security challenges is definitely going by the wayside,” concludes Tomallo.
On a national level, trade association National Retail Federation (NRF) hosts an IT Security Council forum for members to exchange information on current cyber threats and industry best practices. Similarly, the member-led Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC) built a community to surface and share cyber threats. “We, as an industry, must come together and join forces to manage our common cybersecurity risks,” said Colin Anderson, chair of the RH-ISAC Board of Directors and global CISO of Levi Strauss & Co in a prepared statement. “A rising tide lifts all ships.”
Ascena’s Tomallo says that information from these organizations has assisted in thwarting at least a few attacks. “The important piece is meaningful information sharing about security and business from multiple industries,” he adds. Industry experience leads to specialization, such as credit card and payments transactions in the retail sector. Bringing those experiences together reinforces security principles across industries while also creating a force multiplier of communications in the retail community benefiting each industry participant. “However, for the next emerging technology, not so much,” Tomallo concedes.
Less is known in these information sharing communities about newer technologies, such as IoT. While on the radar of every CISO, IoT discussions remain at a high-level. Many are asking what the potential risk and impact will be on their business. “We know the security around some of those systems may be in question. How does that pertain to Ascena?” asks Tomallo. “How does that pertain to some of our third-party solution providers?”
Staying informed is key to building a base of knowledge, best practices, and staying ahead of cyber security trends. Keeping abreast of the latest news headlines, tracking alerts on security and privacy topics, and participating in an industry or regional community all contribute to knowledge that lends value to your business, your industry, and the greater cyber community. In other words, the successful CISO is one who engages in robust information sharing.