During this episode of Inside the CISO’s Office, retired Kroger CISO Brian Lawhorn talks about how he took the retailer’s cybersecurity program from zero to 180. When Lawhorn joined Kroger in August 2000, he was dealing with a somewhat different playbook than today’s information security executives.
With no existing program to build upon, no designated budget, and a growing issue with identity and access creation stemming from a stream of mergers and acquisitions, Lawson was tasked with creating the foundation for Kroger’s cybersecurity program.
The Department of Defense’s cybersecurity regulations wouldn’t come into effect until 2011, five years after the Payment Card Industry Security Standards Council (PCI SSC) was formed. So Lawson didn’t have to contend with a solution that worked with PCI compliance. However, as Kroger had already been in the pharmacy business for nearly 40 years, Lawson still needed to comply with the Health Insurance Portability and Accountability Act and secure customers’ medical information.
Also read: What is a security assessment?
Budgeting and identifying priorities
Lawson’s first order of business at Kroger was to rectify identity creation and access issues. With multiple employees coincidentally sharing the same name, creating e-mail addresses became complicated. Lawson tapped upon one of his team members to write a new code that would avoid standard naming conventions. “We created a convention where every employee ID had a unique set of numeric and alphabetical characters,” he said. “We thought a standard code gives a bad actor some percentage of advantage.”
Along with identity management, Lawson’s new cybersecurity plan also needed to include physical assets and software inventory. To secure the necessary budget, Lawson met with Kroger’s audit committee and full board of directors multiple times a year. Yet, he still took a conservative approach to spending.
He collaborated with staff from other departments who had the skillset to write code and hired talented interns. He also outsourced to qualified Information Technology professionals in India to keep budgetary needs from adversely affecting the organization.
Lawson coupled those efforts by turning to startups willing to charge moderate rates to a Fortune 50 client in exchange for the brand recognition and credos that work would give them with future clients.
Also read: SASE vs. zero trust: The basics
Talent retention as part of a cybersecurity program
Building the right IT staff requires significant time and budget investments. With a diverse retail business that included groceries, pharmacies, fuel, and jewelry, Lawson looked beyond college degrees. His first hire was a former coworker 20 years his senior. His eventual deputy CISO was a former Kroger intern. “It was about having the talent and capabilities to work in a very difficult environment,” he said.
Keeping team members long-term also meant keeping costs down and productivity high. Replacing a staff member likely meant paying a higher salary and lag time as new employees went through onboarding.
Lawson’s solution was to have quarterly one-on-ones with his team. “There are many reasons why you want to keep your teams happy, engaged, and trusting in their leaders. A quarterly touchpoint seems a reasonable timeframe to ensure they’re not burning out,” he said.
Cyberattacks on vendors
According to Lawson, Kroger does business with roughly 250,000 contractors, vendors, and business partners. During the pandemic, Lawson became acutely aware of a rise in cybercriminal activities on vendors. Not only did he have to reevaluate the safeguards in his cybersecurity program, but Kroger was also compelled to assist vendors when ransomware attacked them.
When a major frozen food provider lost access to their systems, Kroger helped get them back online because a potential loss of this vendor’s deliveries would have resulted in Thanksgiving sales losses for Kroger.
Most CISOs might not think about their alignments with suppliers, but it is in both parties’ interests to be successful at the end of the day.
A successful cybersecurity program should assess five areas of responsibility:
- Identifying risks to the organization, including its systems, people, assets, data, and capabilities.
- Protecting these assets, ensuring the delivery of critical services and the resiliency of business operations.
- Detecting threats and developing the capability to spot attacks.
- Responding to security incidents effectively using tried-and-true processes.
- Recovering from an incident quickly, assessing gaps and correcting issues.
Also read: Vulnerability assessment vs penetration testing: Understanding the differences
The one constant of every cybersecurity plan
Cybercriminals will never stop. They also have more money, resources, and willpower than most organizations, so businesses must prioritize modernizing their security systems.
“They only need to be right once, and we need to be right every day,” Lawson concluded.
This reality is why continuous penetration testing is essential for every cybersecurity plan.
CBTS has decades of experience partnering with companies across all sectors to devise and implement technology solutions. Contact our experts today to learn how we can help you optimize your cybersecurity program.
