R-CISC Highlights from the Retail Collaboratory

Earlier this month, the R-CISC team was proud to host our first Retail Collaboratory event. We welcomed a crowd of 130+ retail information security pros, industry experts, and strategic sponsor partners for two days of collaboration and member-led discussions. Our team is appreciative of the many individuals who helped build this inspiring event: the speakers and workshop facilitators who brought us valuable learning, and our sponsoring partners for their support. Our participants brought the Retail Collaboratory alive with their genuine desire to share knowledge, build bridges, and offer support to help us move the needle for retailers.

As a close out to the event, the R-CISC team brings you our top takeaways from the two days in Frisco, Texas. In no particular order:

  • Turning Ideas into Actions: For those of you in the room when Jamie Wallace led a discussion around the ‘lightbulb’ moments from the conference, I’m sure you’ll agree that the power of active and vulnerable engagement is vast. Each audience member was asked to share their key takeaway from the event. Going around the room we heard things like: ROI of sharing technologies, TIPs, defining process around sharing, handling threats, etc. Of the comments, what stood out was the similarity and differences in takeaways. Much of what attendees detailed wasn’t related to a particular agenda item, but it was actionable suggestions heard from facilitators, speakers, and attendees alike. We hope that the ideas and potential shared will turn into a reality.

  • Building a Benchmarking Framework: The CISO leaders launched a member-driven working group around strategic benchmarking. This group of leaders walked through the ‘what’ and the ‘why’ CISO benchmarking data is necessary and took the first steps toward solidifying a framework fit for our enterprise. The group will drive outcomes to support the need for retail industry focused data, with this session marking the beginning of a dedicated initiative for members to come together in small groups and work on benchmarking to align security investments with business investments, measure incident response and risk tolerance, frame out team structure and chart progress as a security organization.

  • Learning from One Another: The R-CISC ISAC analysts participated in several discussions intended to propel trust and engagement around relevant matters for fellow analysts. They saw organizations with less mature capabilities discussing their needs directly with those further down the path. Analysts expressed the need for comprehensive threat intelligence – Who, What, When, Where, Why and How (5W’s+H) – and best practices on using this information for defense, predicting threat activity, and defining the scope of responsiveness resources required. Interactive sessions and dialogue helped members to understand the value of building threat intelligence programs, and just what those programs look like. These conversations seeded ideas that will continue to be explored at the R-CISC Retail Annual Retail Cyber Intelligence Summit.

  • ATO and Fraud Activities Dominated Conversation: Fraud activity was discussed in nearly 50% of the conference sessions. It’s a complex problem, magnified by its impact to cyber and fraud areas, numerous actors and campaigns, and the variety of Tactics, Techniques, & Procedures (TTP’s) employed by criminal actors. The Retail Collaboratory served as a Launchpad for a Fraud Working Group, led by Matthew Harless at Synchrony Financial Bank. Matt and fellow R-CISC members and retailers framed the initial constructs for the working group at the event. Initial objectives include collective work to enable information flow for gift card fraud related activity, establishing guidelines for determining normal vs. abnormal behavior, and building awareness of “red flags” to reduce the impact of fraud crime.

  • Furry Friends: Lastly, how can we not mention Bronte the dog? A surprising, and perhaps a slightly operationally-stressful addition to the event, she was relaxed and happy to be around the masses during networking times and of course, food breaks. She brought joy to many – our members are clearly dog people!

Did we mention your top moment? What’d we miss? What would you like to see at the R-CISC Retail Cyber Intelligence Summit in October? E-mail us your comments at, we’re always interested in member feedback and suggestions.

Read More
Whose Line is it Anyway? One CISO’s Approach to Board Communications

Recently, the R-CISC team sat down with Scott Howitt, SVP & CISO at MGM Resorts International, to learn more about his approach to assessing, prioritizing, and communicating risk to the board of directors. To learn more about additional strategies, join Scott and other retail CISOs in an upcoming workshop discussion of risk tolerance taking place at the R-CISC’s Retail Collaboratory on May 9-10 at the Westin Stonebriar in Frisco, Tx. The Collaboratory’s inaugural agenda can be found at Interested in participating? Contact us at


Welcome to the big time – as a CISO, your time has arrived. Today’s CISO regularly commands the attention of the Board and Audit Committee, and for good reason. Over recent years, industry impacting events have pushed cyber security to the top of board meeting agendas, and CISOs serve as an expert advisor in informing the board on organizational risks. As times and board priorities change, so too must the CISO’s strategy for deftly translating cyber security ‘speak’ into meaningful, board-level communications.


As CISO for MGM Resorts International, Scott Howitt is accountable for creating, implementing and overseeing a wide series of strategies and programs to limit information security risk across six separate business units. From retail to hotels, gaming, sports arenas, restaurants and entertainment venues, Scott’s purview encapsulates a wide range of risks which he must then assess, prioritize, and communicate to the board. Read on for a sampling of strategies Scott shared with our team, and for information on the opportunity to join him and more retail CISOs for an interactive, deep-dive discussion of these and other strategies.


Educate yourself, then educate the board.


Take advantage of the many online resources available on board guidance, including example questions that the board should ask of the CISO. If you’re not sure where to start, the New York Stock Exchange’s Corporate Board Member magazine can give you an idea of which questions board directors might bring to the table during your next meeting.


Recent litigation suits underscore the high price of the wrong answer to whether an organization has implemented ‘reasonable data security measures’. As the CISO, it’s your job to educate the board on your organization’s information security risk profile, which defensive measures are in place, and where resources are needed to enhance security posture. While it is up to each individual organization to implement security-driven defensive measures based on the unique nature of their risks, here are some useful resources to help the conversation:


  • This recently published document from the Federal Trade Commission (FTC) illustrates the top 10 lessons learned from recent law enforcement actions pursued by the FTC
  • The public private partnerships established between government and industries have made significant progress in improving the nation’s cybersecurity posture – your participation as a member of the R-CISC demonstrates your organization’s commitment to proactively strengthening your cybersecurity program’s capabilities
  • The NIST cybersecurity framework offers the model for a scalable approach to managing cybersecurity-related risks
  • The PCI data security standard applies to companies of any size that accept credit card payments


Channel your inner CFO.


Understand these terms and why they’re important, because odds are that every other individual in the board room will know them, too.

  • CAGR
  • CapEx/OpEx


Ie: Understand the net impact of status to [EBITDA, CAGR, operations] and provide solid reasoning to support your assertion.


Be proactive – hire an external auditor.


Because why wouldn’t you want to be the one driving this conversation? Bring in an external auditor to provide their opinion on the information you should be presenting to the board. Inevitably, the subject of an independent audit will be broached at some point. By initiating this process proactively, you’re well positioned to address questions and to communicate findings to leadership.


Remember, cybersecurity is an afterthought unless you can demonstrate the direct correlation between your program and business impact. Retailers can learn more about this approach along with additional strategies in Scott’s upcoming workshop discussion of risk tolerance taking place at the R-CISC’s Retail Collaboratory on May 9-10 at the Westin Stonebriar in Frisco, Tx. Interested in participating? Contact us at


Read More
Key takeaways from the R-CISC’s week at RSA Conference

Hi, I’m Alex Brown. As Community Manager at the R-CISC, I’m thrilled to begin working with and learning from all of you on how to best facilitate conversations and disseminate information that drives value for you within your organizations and in the retail cybersecurity space. Kicking off what I hope to be an ongoing conversation, I wanted to share some information on what we’ve been up to thus far in 2017 and what we’re planning for all of you in the coming months.

Like many of you, the R-CISC team just wrapped up a brilliant week full of thoughtful conversation, strategy, development, and important security conversations at the 2017 RSA Conference. We connected with many from the ISAC and ISAO community, retailers, government agencies, associate members, and media partners. We’re energized and excited to move forward with partnerships that amplify opportunities to support the retail cyber intelligence community.

The R-CISC hosted several events at RSA. One session informed members of our 2017 initiatives that guide our advancement. We’re amplifying existing partnerships and building new ones to increase information sharing capabilities and enhance our access to intelligence that heightens strategic knowledge exchange. The R-CISC also facilitated a peer-to-peer discussion on digital transformation that focused on customer attack vectors, attacker innovation, strategies for mitigating risk, challenges and best practices in the field. Lastly, we had an open house on Friday morning for more informal conversation and connections with members. To those of you who took the time to attend our sessions, thank you for engaging and supporting the R-CISC community. We hope that your time spent with us was valuable.

Our inspired group of R-CISC staff are now diving head first into the 2017 Retail Collaboratory, the next big meeting for information security professionals within retail. This event, taking place May 9-10 in Frisco, Tx is a unique, two-day forum designed with workshop and whiteboard style sessions intended to shepherd meaningful dialogue that addresses retail critical subjects.

Look for an announcement in the coming week that highlights some of our exciting speakers and sessions. Interested in attending? Please go here to learn more about qualifications to attend, hotel information, and to register today.

Interested in participating in the agenda? Questions about the Collaboratory? Please reach out to me directly at

Read More
The Retail ISAC (R-CISC) Presents our Holiday Guidance Series for Retailers

The Retail ISAC (R-CISC) is pleased to invite all eligible retailers to join in our upcoming Holiday Guidance webinar series designed to arm information security professionals from retail, restaurants, hotels, hospitality, and our partner sectors with actionable insight, strategies, and peer discussion opportunities throughout this most busy time of year! Interested individuals can email for registration details and join prepared to engage and share during these lively, interactive sessions. For more information on the R-CISC email

As many of you are aware, on October 21, 2016, a series of distributed denial-of-service (DDoS) attacks against Dyn DNS impacted the availability of a number of sites concentrated in the Northeast US and, later, other areas of the country. Impacted sites included: PayPal, Twitter, Reddit, GitHub, Amazon, Netflix, Spotify, and RuneScape. While the attacks were still ongoing, Flashpoint was able to confirm that at least one portion of the attack was initiated by a Mirai Command and Control server. R-CISC Core/Core+ members and eligable, non-member retailers are invited to join on Wednesday, November 2 from 11-12p pacific/2-3p eastern for An After-Action Analysis of the Mirai Botnet Attacks on Dyn. During this session, Allison Nixon, Director of Research, and Zach Wikholm, Research Developer at Flashpoint, will discuss the anatomy and implications of the attacks. This session is classified TLP:Green and is open to Core/Core+ members and eligible non-member retailers, only. 

Next up, the R-CISC will host a Q3 Threat Briefing on Thursday, November 3 from 10-11a pacific/1-2p eastern to evaluate the retail cybersecurity threat landscape and preparations for the coming holiday season. This interactive session is led by Executive Director, Brian Engle and Research Director, Wendy Nather and includes an overview of Q3 observed threats as well as analysis of observed significant events, current threat trends, and anticipated threats as we approach the upcoming holiday season. The briefing is designed to be interactive, and participants are encouraged to join prepared to share and contribute to the session as we together anticipate the threats that may be in store, along with the priorities for preparing to defend against them in advance of the holiday season. This session is classified TLP:Green and is open to Core/Core+ members and eligible non-member retailers, only. 

The R-CISC is proud to support the information security community in these important conversations and to serve as the conduit for collaboration, information sharing and cooperation among retailers worldwide. We are stronger together.

*The R-CISC leverages the The US-CERT Traffic Light Protocol (TLP)  to specify how and where contributed threat intelligence may be shared. TLP Green indicates that the information  may be passed around a general community, but should not be shared in public. For example, a notification about a phishing campaign affecting everyone who uses a particular POS system could be shared even outside the R-CISC with other retailers, but should not be discussed on Twitter or Facebook where adversaries could see it; nor should it be shared with the media.
Read More
Beyond the Cybersecurity Breach: To the Right of Boom

A series of cybersecurity breaches in the 2013 to 2014 timeframe were the shot heard throughout the industry for many retailers. For some retailers the shot has resulted in a direct hit, while for others it has served as a warning fired across the bow. In all cases, the impact of these events has resulted in significant changes in strategies for retailers as they fortify their defenses and protect the payment channel from cyber criminals.


Cybersecurity efforts have largely been focused on the timeline to the left of the breach event. Strategies have included shoring up the payment transaction with end to end encryption, bolstering extensive layers of protection and defensive measures, and developing improved detection and monitoring capabilities to thwart cybersecurity breaches of payment card and customer information. Among the numerous strategic efforts was the formation of the R-CISC to enable threat intelligence and cybersecurity information sharing throughout the industry to get ahead of the threat.


These cybersecurity efforts have demonstrated a continued diligent and programmatic effort is needed to protect against the attacks of criminals. However, these efforts in and of themselves are not enough, as the impact of payment card breaches has a ripple effect of loss and costs to many organizations outside of the breached merchant. The ensuing fraud and monetization performed by criminals is costly and broadly impacting, affecting financial firms, merchants, and the consumer cardholders to the tune of millions upon millions of dollars per year. The LexisNexis 2016 True Cost of Fraud report ( provides a grim representation of fraud statistics with indications of fraud losses increasing across the board.


Activities observed and shared between retailers within the R-CISC have provided insights into the complex nature of the criminal efforts in several significant events. These observations have allowed leading cybersecurity experts to see into the expertise and division of labor at the stages of the Lockheed Martin Cyber Kill Chain that include the development of tools and weapons, the delivery of these weapons, and the eventual command and control enable leading to exploitation and exfiltration of data. The adversaries are not just working together; they are creating an economic marketplace of efficiency for attacking industries and businesses. The criminal capabilities then extend into the monetization and extraction of funds through additional stages not contemplated by the Lockheed Martin Cyber Kill Chain.


In order to disrupt the cybercriminal fraud crime chain, it is apparent that we need to see increased collaborative efforts between cybersecurity and fraud professionals, applying techniques and intelligence from all sides of the equation to combat the criminals. As we wrap up Cybersecurity Awareness Month and approach Fraud Awareness Week November 13-19, 2016, let’s put our brains and efforts together to make a real difference in our continued work to secure retail. (Or some derivative of our Securing Retail theme).


Brian Engle

R-CISC Executive Director 

Read More