Intelligent CIO Middle East Issue 47 | Page 78

INDUSTRY WATCH Another major factor that has resulted in more security due diligence exercises being conducted by retail organisations is that their parent organisation holds a wider portfolio of companies, some of which are closely connected to the domain of information security. These parent organisations have a greater need for maintaining their brand image given their wider presence across multiple domains in the industry and hence they are more inclined towards conducting a thorough security due diligence on their vendor organisations. Prioritising security alongside other business objectives is highly recommended even for those retail organisations that do not think that information and security matter to them. Digitisation has touched every aspect of our world, which means that the potential for an embarrassing security breach exists for almost any and every type of organisation. Retail organisations must consider obtaining information security certifications such as ISO 27001:2013 and PCI DSS if their software development and management is done in-house. Alternately, if they outsource such activities or obtain a platform-based solution from an external vendor, then they must conduct a security due diligence exercise annually. The risk of security breaches exists in every organisation and a vendor that is able to adequately provide assurance affirming that they consider security as an important business objective for themselves, is the one that will usually be able to avoid such embarrassing and costly incidents. Retail organisations should also consider including security metrics in their own Shailendra Singh, Chief Information Security Officer – Capillary Technologies business reviews. These could include numbers related to vulnerabilities discovered and resolved in the software applications that are being actively used, the number of incidents or events that surfaced in given duration. It can also include whether an active bug bounty program has been implemented and if so, then how many bugs were reported and resolved within a given period. It should also review what the risk assessment of the data that is being saved, whether a detailed risk mitigation and business continuity plan exists and whether these plans have been tested. PRIORITISING SECURITY ALONGSIDE OTHER BUSINESS OBJECTIVES IS HIGHLY RECOMMENDED EVEN FOR THOSE RETAIL ORGANISATIONS THAT DO NOT THINK THAT INFORMATION AND SECURITY MATTER TO THEM. 78 INTELLIGENTCIO Retail organisations should also consider including clauses and penalties related to data protection and data privacy in their vendor agreements. This ensures that a vendor becomes legally bound to provide adequate measures of security as part of their promised security deliverables. The retail industry as a whole has been adopting most of the practices that appreciate security as an important business objective for them and it is quite likely that those who treat security seriously are the ones that will ultimately prevail in the market. Security and privacy consciousness of the general population has been improving rapidly in the post EU GDPR world. This industry stands to upset the very audience it targets if security is not treated the way it should be. n