Whose Line is it Anyway? One CISO’s Approach to Board Communications

Recently, the R-CISC team sat down with Scott Howitt, SVP & CISO at MGM Resorts International, to learn more about his approach to assessing, prioritizing, and communicating risk to the board of directors. To learn more about additional strategies, join Scott and other retail CISOs in an upcoming workshop discussion of risk tolerance taking place at the R-CISC’s Retail Collaboratory on May 9-10 at the Westin Stonebriar in Frisco, Tx. The Collaboratory’s inaugural agenda can be found at Interested in participating? Contact us at


Welcome to the big time – as a CISO, your time has arrived. Today’s CISO regularly commands the attention of the Board and Audit Committee, and for good reason. Over recent years, industry impacting events have pushed cyber security to the top of board meeting agendas, and CISOs serve as an expert advisor in informing the board on organizational risks. As times and board priorities change, so too must the CISO’s strategy for deftly translating cyber security ‘speak’ into meaningful, board-level communications.


As CISO for MGM Resorts International, Scott Howitt is accountable for creating, implementing and overseeing a wide series of strategies and programs to limit information security risk across six separate business units. From retail to hotels, gaming, sports arenas, restaurants and entertainment venues, Scott’s purview encapsulates a wide range of risks which he must then assess, prioritize, and communicate to the board. Read on for a sampling of strategies Scott shared with our team, and for information on the opportunity to join him and more retail CISOs for an interactive, deep-dive discussion of these and other strategies.


Educate yourself, then educate the board.


Take advantage of the many online resources available on board guidance, including example questions that the board should ask of the CISO. If you’re not sure where to start, the New York Stock Exchange’s Corporate Board Member magazine can give you an idea of which questions board directors might bring to the table during your next meeting.


Recent litigation suits underscore the high price of the wrong answer to whether an organization has implemented ‘reasonable data security measures’. As the CISO, it’s your job to educate the board on your organization’s information security risk profile, which defensive measures are in place, and where resources are needed to enhance security posture. While it is up to each individual organization to implement security-driven defensive measures based on the unique nature of their risks, here are some useful resources to help the conversation:


  • This recently published document from the Federal Trade Commission (FTC) illustrates the top 10 lessons learned from recent law enforcement actions pursued by the FTC
  • The public private partnerships established between government and industries have made significant progress in improving the nation’s cybersecurity posture – your participation as a member of the R-CISC demonstrates your organization’s commitment to proactively strengthening your cybersecurity program’s capabilities
  • The NIST cybersecurity framework offers the model for a scalable approach to managing cybersecurity-related risks
  • The PCI data security standard applies to companies of any size that accept credit card payments


Channel your inner CFO.


Understand these terms and why they’re important, because odds are that every other individual in the board room will know them, too.

  • CAGR
  • CapEx/OpEx


Ie: Understand the net impact of status to [EBITDA, CAGR, operations] and provide solid reasoning to support your assertion.


Be proactive – hire an external auditor.


Because why wouldn’t you want to be the one driving this conversation? Bring in an external auditor to provide their opinion on the information you should be presenting to the board. Inevitably, the subject of an independent audit will be broached at some point. By initiating this process proactively, you’re well positioned to address questions and to communicate findings to leadership.


Remember, cybersecurity is an afterthought unless you can demonstrate the direct correlation between your program and business impact. Retailers can learn more about this approach along with additional strategies in Scott’s upcoming workshop discussion of risk tolerance taking place at the R-CISC’s Retail Collaboratory on May 9-10 at the Westin Stonebriar in Frisco, Tx. Interested in participating? Contact us at


Read More
Key takeaways from the R-CISC’s week at RSA Conference

Hi, I’m Alex Brown. As Community Manager at the R-CISC, I’m thrilled to begin working with and learning from all of you on how to best facilitate conversations and disseminate information that drives value for you within your organizations and in the retail cybersecurity space. Kicking off what I hope to be an ongoing conversation, I wanted to share some information on what we’ve been up to thus far in 2017 and what we’re planning for all of you in the coming months.

Like many of you, the R-CISC team just wrapped up a brilliant week full of thoughtful conversation, strategy, development, and important security conversations at the 2017 RSA Conference. We connected with many from the ISAC and ISAO community, retailers, government agencies, associate members, and media partners. We’re energized and excited to move forward with partnerships that amplify opportunities to support the retail cyber intelligence community.

The R-CISC hosted several events at RSA. One session informed members of our 2017 initiatives that guide our advancement. We’re amplifying existing partnerships and building new ones to increase information sharing capabilities and enhance our access to intelligence that heightens strategic knowledge exchange. The R-CISC also facilitated a peer-to-peer discussion on digital transformation that focused on customer attack vectors, attacker innovation, strategies for mitigating risk, challenges and best practices in the field. Lastly, we had an open house on Friday morning for more informal conversation and connections with members. To those of you who took the time to attend our sessions, thank you for engaging and supporting the R-CISC community. We hope that your time spent with us was valuable.

Our inspired group of R-CISC staff are now diving head first into the 2017 Retail Collaboratory, the next big meeting for information security professionals within retail. This event, taking place May 9-10 in Frisco, Tx is a unique, two-day forum designed with workshop and whiteboard style sessions intended to shepherd meaningful dialogue that addresses retail critical subjects.

Look for an announcement in the coming week that highlights some of our exciting speakers and sessions. Interested in attending? Please go here to learn more about qualifications to attend, hotel information, and to register today.

Interested in participating in the agenda? Questions about the Collaboratory? Please reach out to me directly at

Read More
The Retail ISAC (R-CISC) Presents our Holiday Guidance Series for Retailers

The Retail ISAC (R-CISC) is pleased to invite all eligible retailers to join in our upcoming Holiday Guidance webinar series designed to arm information security professionals from retail, restaurants, hotels, hospitality, and our partner sectors with actionable insight, strategies, and peer discussion opportunities throughout this most busy time of year! Interested individuals can email for registration details and join prepared to engage and share during these lively, interactive sessions. For more information on the R-CISC email

As many of you are aware, on October 21, 2016, a series of distributed denial-of-service (DDoS) attacks against Dyn DNS impacted the availability of a number of sites concentrated in the Northeast US and, later, other areas of the country. Impacted sites included: PayPal, Twitter, Reddit, GitHub, Amazon, Netflix, Spotify, and RuneScape. While the attacks were still ongoing, Flashpoint was able to confirm that at least one portion of the attack was initiated by a Mirai Command and Control server. R-CISC Core/Core+ members and eligable, non-member retailers are invited to join on Wednesday, November 2 from 11-12p pacific/2-3p eastern for An After-Action Analysis of the Mirai Botnet Attacks on Dyn. During this session, Allison Nixon, Director of Research, and Zach Wikholm, Research Developer at Flashpoint, will discuss the anatomy and implications of the attacks. This session is classified TLP:Green and is open to Core/Core+ members and eligible non-member retailers, only. 

Next up, the R-CISC will host a Q3 Threat Briefing on Thursday, November 3 from 10-11a pacific/1-2p eastern to evaluate the retail cybersecurity threat landscape and preparations for the coming holiday season. This interactive session is led by Executive Director, Brian Engle and Research Director, Wendy Nather and includes an overview of Q3 observed threats as well as analysis of observed significant events, current threat trends, and anticipated threats as we approach the upcoming holiday season. The briefing is designed to be interactive, and participants are encouraged to join prepared to share and contribute to the session as we together anticipate the threats that may be in store, along with the priorities for preparing to defend against them in advance of the holiday season. This session is classified TLP:Green and is open to Core/Core+ members and eligible non-member retailers, only. 

The R-CISC is proud to support the information security community in these important conversations and to serve as the conduit for collaboration, information sharing and cooperation among retailers worldwide. We are stronger together.

*The R-CISC leverages the The US-CERT Traffic Light Protocol (TLP)  to specify how and where contributed threat intelligence may be shared. TLP Green indicates that the information  may be passed around a general community, but should not be shared in public. For example, a notification about a phishing campaign affecting everyone who uses a particular POS system could be shared even outside the R-CISC with other retailers, but should not be discussed on Twitter or Facebook where adversaries could see it; nor should it be shared with the media.
Read More
Beyond the Cybersecurity Breach: To the Right of Boom

A series of cybersecurity breaches in the 2013 to 2014 timeframe were the shot heard throughout the industry for many retailers. For some retailers the shot has resulted in a direct hit, while for others it has served as a warning fired across the bow. In all cases, the impact of these events has resulted in significant changes in strategies for retailers as they fortify their defenses and protect the payment channel from cyber criminals.


Cybersecurity efforts have largely been focused on the timeline to the left of the breach event. Strategies have included shoring up the payment transaction with end to end encryption, bolstering extensive layers of protection and defensive measures, and developing improved detection and monitoring capabilities to thwart cybersecurity breaches of payment card and customer information. Among the numerous strategic efforts was the formation of the R-CISC to enable threat intelligence and cybersecurity information sharing throughout the industry to get ahead of the threat.


These cybersecurity efforts have demonstrated a continued diligent and programmatic effort is needed to protect against the attacks of criminals. However, these efforts in and of themselves are not enough, as the impact of payment card breaches has a ripple effect of loss and costs to many organizations outside of the breached merchant. The ensuing fraud and monetization performed by criminals is costly and broadly impacting, affecting financial firms, merchants, and the consumer cardholders to the tune of millions upon millions of dollars per year. The LexisNexis 2016 True Cost of Fraud report ( provides a grim representation of fraud statistics with indications of fraud losses increasing across the board.


Activities observed and shared between retailers within the R-CISC have provided insights into the complex nature of the criminal efforts in several significant events. These observations have allowed leading cybersecurity experts to see into the expertise and division of labor at the stages of the Lockheed Martin Cyber Kill Chain that include the development of tools and weapons, the delivery of these weapons, and the eventual command and control enable leading to exploitation and exfiltration of data. The adversaries are not just working together; they are creating an economic marketplace of efficiency for attacking industries and businesses. The criminal capabilities then extend into the monetization and extraction of funds through additional stages not contemplated by the Lockheed Martin Cyber Kill Chain.


In order to disrupt the cybercriminal fraud crime chain, it is apparent that we need to see increased collaborative efforts between cybersecurity and fraud professionals, applying techniques and intelligence from all sides of the equation to combat the criminals. As we wrap up Cybersecurity Awareness Month and approach Fraud Awareness Week November 13-19, 2016, let’s put our brains and efforts together to make a real difference in our continued work to secure retail. (Or some derivative of our Securing Retail theme).


Brian Engle

R-CISC Executive Director 

Read More
Accepting the Challenge

Last week was our inaugural R-CISC Summit in Chicago. With just over 200 attendees, we had the most significant retail industry professionals covering the latest and greatest in cybersecurity issues and trends.


Kicking off the two days of deep discussions was a session with the R-CISC Board of Directors sharing their vision of the future. Building on the the critically important topic of collaboration, one of our Board Members, David McLeod (CISO, JC Penney) talked about important security measures that need to be adopted more widely within the industry. He described this as “making the minority the majority,” a theme that carried throughout the Summit, and has become a mantra for the R-CISC community efforts.


Through collaboration and discussions in the many interactive sessions that occurred over the two-day Summit, sharing was the name of the game. The National Cybersecurity Center of Excellent (NCCoE) proposed two reference architecture projects: Multifactor Authentication for e-Commerce and Securing Non-Credit Card, Sensitive Consumer Data, both of which are intended to put promotable practices into the form of reproducible technology. Attendees listed other practices they had successfully implemented, such as geo-blocking, card data tokenization, E2E and P2P encryption, and phishing awareness training. Securing eCommerce is a significant focus for our members, and a primary research topic for the R-CISC that will have many ongoing workshop efforts.


R-CISC members presented on everything from mobile payment security to practical metrics and IoT, and our Associate Members brought their expertise to the table in areas such as using threat intel for continuous monitoring, restoring trust after a breach, and first principles for network defenders. We rounded out the lineup with global perspectives, such as the geopolitical implications for retail cybersecurity and using disruptive technologies to assist in disasters. One of the things I’m really proud of is the wide variety of topics we featured; this conference showed that the R-CISC membership has a multitude of risks that are not just at the traditional Point of Sale terminal.


Everyone has their favorite high points from the summit – I have to admit that recognizing the R-CISC top contributors at our member dinner was at the top of the list, but the Q&A session with Brian Krebs was a close second. Overall, the best part for me was seeing organizations of all sizes sitting down together and learning from one another. While the Amazons, Googles, Facebooks and AT&Ts of the world may have resources the rest of us can only dream of, we can share a vision of how to make security work. And we’ll check in on our progress next year.

Read More