Our research has shown, and frankly all of us over the past two years have seen the IT executive clearly step to the forefront in the landscape of the most critical roles for enterprise success and transformation. From the beginning of the pandemic the CIO was the hero who got us safe and operational from our homes in a matter of days, to innovating new technologies for how to improve remote work, adding value to the volatile and ever-changing customer experience needs, and even engineering new technology-enabled business models. The roles of the CIO, CTO, CDO were prominent in all the research we did…but what about the CISO? Oh, yeah, that SURE is important, particularly today, more than ever! But they are like having insurance: we sure need it but we don’t talk about it over dinner much. But I started to ask if the future of security in a world of cyber hacking and, even, threatened cyber wars, brings the role of the CISO more to the forefront.
If we were writing a chapter on the role of security in the transformation journey, would it be only to point out the obvious foundational requirements at each and every juncture? Or is there something more? I reached out to Jerry Dixon, CISO of cybersecurity technology company, CrowdStrike, (who better to join efforts for such a question, right?) and we started asking just that question, just that way, “How is the role of the CISO emerging as more than just a foundational requirement, but instead as a driver of the transformation itself…?” What emerged surprised me, and I wanted to have you consider it as well. Would you believe that the ever-present public threat of cybersecurity has gotten to a level that in some sectors including retail, health care and financial services, customer safety and security has become a competitive advantage?
Jerry and I decided to pull together a group of CISOs and dig in together. And our first call was to Rich Agostino, CISO of Target, from whom I have learned so much over the years. Rich had a number of points to make about the CISO as a source of competitive advantage.
Leading the Enterprise on Consumer Well-Being
“Cybersecurity isn’t marketed in retail as a reason to shop one store over another. But that doesn’t mean that cybersecurity is not a huge enabler of growth,” says Rich, “…our team of hundreds of in-house security experts help protect Target and our guests against cybercriminals and fraudsters so that our business can continue to smoothly operate and scale.”
This, of course, encompasses foundational cybersecurity requirements like protecting credit-card data and working to ensure that new technology developed at Target keeps customer data secure, but it also extends to other areas of customer experience, as he explained through a couple of vivid examples.
Protecting the Legitimate Retail Customer from Bots
One example of the cybersecurity team leading the company in elevating the overall customer experience is the mitigation of bots that are used to divert inventory from actual customers for resale on third-party resale sites. Over the last few years, the volume and variety of bots have grown exponentially, creating challenges for any retailer.
Rich goes on to list some of these challenges, including:
- Creating a fair playing field for all guests by preventing bots from essentially “cutting the line”, often times to buy up inventory that they then turn around and sell through other marketplaces at a higher price.
- Maintaining stability of the Target website to scale under peak demand so that a rapid influx of bot volume doesn’t cause impact.
“Bots became more commonplace during the pandemic as people quickly needed and looked for Purell and safety items like that. Now bots appear for big gaming console launches and releases of trading cards and collectibles.”
Rich explains that his team uses a combination of custom and third–party technology solutions and threat intelligence to identify and block bots. They review and cancel orders to catch other reseller tactics, and work cross-functionally with other teams at Target – merchandising, digital and marketing – to provide a fair shopping experience for all guests. The goal is for highly demanded items to go to customers who are there to purchase for themselves, friends or family.
Reducing Returns Fraud
Rich gives an example of another issue, further outside the traditional realm of cybersecurity, where his team has been able to add to the company’s bottom line – returns abuse. During the pandemic, an easy return process for online orders became even more critical, especially for customers who felt uneasy going into stores.
“A couple years ago, Target introduced an option that allowed some items to be eligible for a refund or replacement request online. This helps guests get their money back faster in certain instances without going into a store or UPS drop-off location and then waiting for verification and processing. The feature provides a convenient experience for guests, but it also introduces more opportunities for potential scams.”
According to data compiled by the National Retail Federation, fraudulent returns in the U.S. amounted to $23.2 billion in 2021, just over 10% of total returns of online goods. So, the opportunity to realize savings is substantial. Many organizations have to rely on stricter return policies to address rising fraud rates which can introduce more friction for consumers. Target took a different approach, leveraging the expertise of their cybersecurity team to create several new tools and processes to analyze transactions from the time of purchase to the time of return. As a result, Target’s returns fraud declined significantly. Rich cites this as an example of how the cybersecurity team was able to step in and support a safe and flexible option for guests, ultimately helping to enable a great guest experience.
Security Equally Important to Healthcare and Financial Services Consumers
While retail is an example of an industry where consumers are sensitized to cybersecurity to the degree that trust and safety become part of a company’s brand, there are other sectors where the concern is just as great. If a hospital’s systems are breached, for example, and clinicians lose access to patient data, the impact could be life and death, a health-care industry CISO pointed out.
Financial services companies experience as many cyber-attacks as any sector. Brian Moynihan, Bank of America’s CEO, has been quoted that his company spends over $1 billion/year in cyber protection. Banks and other companies cooperate and share threat intelligence and conduct tabletop exercises via the Financial Services Information Sharing and Analysis Center, an industry group that includes participants from virtually all parts of the sector. A financial services CISO, speaking off-the-record, told us that cybersecurity is a huge enabler and that he was able to track revenue generation around it at the last two banks where he worked.
Anticipating Broader Areas of Improved Customer Safety and Experience
While the foundational priorities of defending against cyber threats and enabling the broader tech team to work quickly and securely are not diminishing, the role of the CISO is now equally as much about driving value creation and transformation in the enterprise. By anticipating broader areas of customer safety and improved experience, the CISO can be a model for any executive looking around corners for transformation and partnership. The CISO more perhaps than any other role in IT leadership has always had to learn how to become the ULTIMATE PARTNER in an organization – to lead without authority and to develop the skill of partnership and “co-elevation” in the c-suite.