INDUSTRY WATCH
Another major factor that has resulted in
more security due diligence exercises being
conducted by retail organisations is that their
parent organisation holds a wider portfolio
of companies, some of which are closely
connected to the domain of information
security. These parent organisations have
a greater need for maintaining their brand
image given their wider presence across
multiple domains in the industry and hence
they are more inclined towards conducting
a thorough security due diligence on their
vendor organisations. Prioritising security
alongside other business objectives is
highly recommended even for those
retail organisations that do not think that
information and security matter to them.
Digitisation has touched every aspect of our
world, which means that the potential for
an embarrassing security breach exists for
almost any and every type of organisation.
Retail organisations must consider obtaining
information security certifications such
as ISO 27001:2013 and PCI DSS if their
software development and management is
done in-house. Alternately, if they outsource
such activities or obtain a platform-based
solution from an external vendor, then
they must conduct a security due diligence
exercise annually.
The risk of security breaches exists in every
organisation and a vendor that is able to
adequately provide assurance affirming
that they consider security as an important
business objective for themselves, is the
one that will usually be able to avoid such
embarrassing and costly incidents.
Retail organisations should also consider
including security metrics in their own
Shailendra Singh, Chief Information
Security Officer – Capillary Technologies
business reviews. These could include
numbers related to vulnerabilities
discovered and resolved in the software
applications that are being actively used,
the number of incidents or events that
surfaced in given duration.
It can also include whether an active bug
bounty program has been implemented
and if so, then how many bugs were
reported and resolved within a given
period. It should also review what the
risk assessment of the data that is being
saved, whether a detailed risk mitigation
and business continuity plan exists and
whether these plans have been tested.
PRIORITISING SECURITY
ALONGSIDE OTHER
BUSINESS OBJECTIVES IS
HIGHLY RECOMMENDED
EVEN FOR THOSE RETAIL
ORGANISATIONS THAT
DO NOT THINK THAT
INFORMATION AND
SECURITY MATTER TO THEM.
78
INTELLIGENTCIO
Retail organisations should also consider
including clauses and penalties related to
data protection and data privacy in their
vendor agreements. This ensures that a
vendor becomes legally bound to provide
adequate measures of security as part of
their promised security deliverables.
The retail industry as a whole has been
adopting most of the practices that
appreciate security as an important
business objective for them and it is
quite likely that those who treat security
seriously are the ones that will ultimately
prevail in the market.
Security and privacy consciousness
of the general population has been
improving rapidly in the post EU GDPR
world. This industry stands to upset the
very audience it targets if security is not
treated the way it should be. n
www.intelligentcio.com