Fast-Tracking InfoSec: A Global Retailer's Success in Asset & Configuration
To stay competitive/successful, companies must fast-track Information Security.
Imagine yourself as the CIO of a high-end retailer with a massive global presence. You offer high quality, unique products. Your customers are willing and happy to spend a pretty penny for your goods.
Yet most people would be surprised that your business isn’t just the products you sell. No—your #1 priority is offering your customer an excellent experience. The best in the industry, perhaps. How might this company offer consistently topflight customer experiences?
Today’s modern, high-end retailers engage in several activities that provide an exceptional customer experience, such as offering pop-up VIP events, on-demand communication with brand experts, and creating in-store customer profiles that offer customized suggestions on products from wine and premium coffee blends to clothing and home design.
To achieve these seamless, high-value experiences companies deploy a range of connected devices, like RFID tags, mobile devices, and wearables, as well as connected services, such as custom software and on-demand platforms. These devices and services connect to each company’s supply chain, which results in business and IT complexity. Complexity, though necessary, is a significant risk—especially in cybersecurity. Cybersecurity risks might look like security breaches, information hacks, or inadvertent leaking of financial or proprietary information.
Case study in brief: introduction
We recently engaged with a global retailer to mitigate this exact problem. The company struggled to minimize risk because they lacked visibility and proper IT asset management processes necessary to maintain an acceptable level of security and compliance within their complex IT environment. This opaque view of IT made things much more complicated as they had limited ability to report against Information Security standards (PCI/DSS and GDPR), resulting in two major vulnerabilities. The company had limited processes to prevent, detect, and recover from these incidents, so they responded to these events slowly. Slow responses compound risk.
Luckily, companies who use an outcomes-focused approach to InfoSec can untangle these complexities quickly, and then use that base to keep improving their security capabilities and maturing their processes. Let’s look at InfoSec and the three things we’ve learned in helping our global partners.
InfoSec doesn’t have to be so difficult
Our conversations and experiences with our partners underscore the need for information security for every single company, but most companies don’t know where to start. Here are the three takeaways every company must understand about information security:
#1. InfoSec is necessary.
Information security is vital because you must protect the information you have. Unfortunately, it is extremely challenging for companies because of the growing complexity of IT environments—these environments that ensure excellent customer experience. We’ve seen, time and time again, that most companies want to tackle InfoSec, but they don’t know where to start.
Solution: Use an outcomes-based process that guarantees results.
#2. A bottom-up approach is wrong.
If customer service is core to successful businesses today, digital transformation is how companies must get there—and that means more ways of interacting with customers. With more channels to manage, your company infrastructure is exceedingly complex.
As complexity increases, so, too, does your risk of threats.
InfoSec decreases your risk of threats, but it can’t be all encompassing from Day One. Most Information is infinite—you can never fully understand everything you have. A “bottom up” approach, where you attempt to collect all your data and ensure its quality before putting that data to work, is a waste of time.
Solution: Take a top-down approach, focusing on a single use case at a time.
#3. Two key processes ensure InfoSec success, now and in the future.
To manage your tech complexities and achieve information security—securing your competitive edge—you must implement a two-step, outcomes-based solution: Asset Management and Configuration Management. These key processes are inherent in all Information Security standards and frameworks, but they also effect every other technology domain in your company.
Our conversations and experiences with our partners indicate that deploying logical use cases for Asset and Configuration Management not only promotes information security holistically but aligns you with compliance standards and frameworks.
Solution: Optimize your processes around Asset and Configuration Management using COBIT 5 principles. With your information secured, your business will continue to improve and move closer to your customers.
Case study in brief: the results
Applying these methodologies over four months, our global retail partner:
- Instituted a comprehensive, end-to-end Asset Management process that spans all servers, networks, software, and mobile devices
- Deployed a Configuration Management process that centralizes all discovered assets in a new central repository CMDB (Configuration Management Database), serving as a single source of truth that integrates with all hardware and software
- Established Exploitation and Data Quality Management that provides continuous data quality improvement and proactive exploration and remediation for bad data
With these processes in place, our global partner achieved the following successful outcomes:
- Passed an internal Information Security audit
- Developed a comprehensive Asset Management process that continuously improves as we help them iterate on additional use cases
- Achieved 95% IT asset discovery as part of Configuration Management
- Established CMDB for all IT assets, which refreshes every 24 hours
- Integrated their service desk with the CMDB to improve incident and change management decision-making process using the most up-to-date information
Any organisation can achieve higher levels of information security maturity by focusing on Asset and Configuration Management.