Why a superstore reinforced its cyber walls to protect its customers

Following a current-state risk assessment, a new operating model was designed to meet the goal of effectively serving customers both internal and external to the organization. The operating model centered around scalability, technology rationalization, elimination of redundant solutions and improved collaboration across the broader enterprise. The team sharpened the focus on security service delivery by developing refreshed service catalogs for internal customers, redefining roles and responsibilities, and helping to establish an interaction model to facilitate teaming.

While the operating model provided the roadmap for enacting change, a series of strategic projects were initiated to increase the organization’s capabilities, impede data threats, increase existing digital security investments and mitigate security risks impacting the customer.

• Security Operations Center (SOC): To detect and combat ever evolving threats against its systems and customers, the SOC acts as the nerve center of the cybersecurity function. EY standardized and operationalized 24x7 SOC coverage for the organization, including night and weekend coverage through staff augmentation. To empower the retailer, training and mentorship were provided to staff to transition responsibility without disruption to operations. A threat-driven prioritization methodology with scenarios specific to the organization prioritized the most impactful threats, and proactive threat-hunting allowed countermeasures to be developed. These improvements to coverage and skills helped protect customers through around-the-clock vigilance. Workflows, an enhanced log and case management system matured the SOC further. Automation and migration to a cloud-native platform further optimized the SOC, which helped to properly store information and inform future decision making. A return-on-investment calculator also prioritized future SOC automation activities to achieve maximum threat reduction and manpower optimization.
• Vulnerability management: EY teams enhanced processes for the vulnerability management program by working in lockstep with IT and the business, implementing solutions to automate prioritization, orchestration and reporting of vulnerabilities throughout the organization. The new program uses a governance framework and scanning solution to revamp asset groups, tags and scan jobs. The enhancements to the vulnerability management program and scanning solution allowed for growth in the program’s maturity, resulting in a more robust solution which led to a reduction of 72% of vulnerabilities across the organization.
• Identity Access Management (IAM): The organization’s legacy IAM program was a patchwork of obsolete systems and manual processes supported by applications that were largely unaccounted for, leading to control deficiencies, governance gaps and risks pertaining to resource access. EY teams worked to help this retailer properly manage digital identities and establish an identity governance platform. An authoritative identity data warehouse (IDW) was built to facilitate end-to-end identity management, strengthen control effectiveness, standardize IAM processes and eliminate redundant tools. By migrating to cloud-based platforms, the organization standardized critical controls, certifications and password management and consolidated its tooling architecture to decommission seven legacy systems. This helped eliminate technology platform redundancies, as well as limited the number of access entry points. New IAM services now better protect the organization’s digital perimeter by streamlining the onboarding and offboarding experience, supporting employees with secure self-service password management options and automating access provisioning.
• Technology Governance Risk and Compliance (GRC): Governance, risk and compliance should aim to be the most integrated function within a cybersecurity program, providing the foundation for good risk identification, prioritization and treatment. When EY teams were first engaged, the organization’s GRC was fragmented amongst multiple cyber teams and took a controls-led approach with compliance being the top focus. Through significant collaboration and education, a risk-based, technology-enabled strategy was built for the retailer. Beginning with the current GRC technology platform, the team identified architecture modifications to better integrate the cyber risk program and help ensure identification, tracking, workflow and response were all streamlined processes. The team identified an industry standard framework to drive consistency for controls, policies, standards and to align top risks. The team educated the business on cyber risk, focusing on possible threats to operations (e.g., back office, supply chain, stores) that the retailer is facing. Future GRC maturity will continue to refine the way risk is identified and improvements to the cybersecurity posture are prioritized based on the impact to the business.

Nearly three years after this cybersecurity transformation began, this superstore now has a secured foundation to combat future threats and has proactively allocated annual funding towards cybersecurity to show their continued commitment to protecting customer data, addressing future risk and building consumer confidence.

Results include:

• 1b+ customer data points better secured
• 100,000+ employees have access to newly secured data tools
• 1,000+ store locations protected with new security solutions
•  72% reduction in vulnerabilities
•  7 legacy systems decommissioned