The Chief Information Security Officer role has responsibility for over 60 full-time security staff within the retailer.
Providing board-level advice to address the business’s number one corporate risk: data security
Like many large businesses, our client – a major UK retailer – is fundamentally changing its business model, focusing on digital services. This involves managing large amounts of customer data, and given that reputation and public trust are crucial to the retailer, it needed to create a new security model to support its changing business.
Mason Advisory was asked to provide a Chief Information Security Officer (CISO) to keep the organisation safe during its transformation.
Our consultant was instrumental in the redesign and restructuring of the security organisation, including developing the entirely new global CISO role. He reported into the board, and was accountable for group security, with responsibility for a multi-million-pound budget. He also led the wider restructuring of the security team in order to build the right platform to deliver the new security model.
As CISO, he led the development of a security strategy in line with the digital business objectives, which was built around a more proactive detect-and-respond model (with a view to moving to a fully predictive approach in future). This moved away from traditional ‘bunker’ approaches to protecting systems and, in an extension of the successful use of customer data to provide retail insights, the security strategy depends on analysing machine data to provide security information and event management (SIEM) insights.
The strategy continues to be implemented using an Agile approach in order to iteratively improve it as the programme of works progresses. The strategy will deliver a more flexible security model to support the business’s digital ambitions.
Our CISO has also prepared the retailer for industry-leading information security certification, and ensured compliance with the Payment Card Industry (PCI) standards for payment processing and encryption.
Other key projects included:
- delivering risk reduction initiatives, such as designing a network segmentation project to split the PCI segment from the rest of the network
- encouraging secure software development
- managing access to services, including cloud services
- wrap around third parties which need to access customer data
- implementing advanced malware detection and data loss prevention initiatives.
We also supported the retailer in making the transition to a full-time in-house CISO.