When Home Depot and Target experienced large-scale security breaches on payment systems in 2014, it hit those top retailers hard: Criminals stole millions of consumers’ debit and credit card data; the companies lost hundreds of millions of dollars in fines and lost sales; and their brand reputations suffered.
A fear of similar breaches rippled out to the entire retail IT industry and continues to reverberate a year later, said Forrester Research vice president and principal analyst George Lawrie. In a discussion in early 2015 with senior members of the CIO Council of the National Retail Federation (NRF), he said that the high level of concern caused by the breaches had not died down and data security was top-of-mind for the vast majority of attendees. He says “they emphasized that ‘No dollar is too much to protect our customer’s data.’”
In an NRF/Forrester report based on those discussions and survey data, Lawrie found that security and governance has become a top priority for retail CIOs as they seek to prevent future breaches, while also trying to deal with the proliferation of new technologies that CMOs and other business colleagues want to introduce, including mobile apps and analytics. The report found CIOS are working to balance putting structures in place to exercise appropriate governance, while at the same time fostering the innovation that creates bottom-line business value as retailers face increasing competition.
[Related: Consumers browsing — but not buying — via mobile and social media]
“CIOs don’t want to be seen as Dr. No, but there needs to be some kind of coordination of what’s going on,” Lawrie explains. “At the moment, LOB executives are under a lot of pressure to respond to the fact that customers are behaving in different ways, but CIOs need to balance risk against incremental value.”
Every retail budget has become an IT budget
This governance balancing act has emerged because over the past five years, every budget within retail has essentially become an IT budget, says Tom Litchford, vice president of retail technology at the National Retail Federation. Marketing, for example, has a budget highly dependent on technology to implement the solutions or applications that retailers want, as they shift their strategy from old-school, cost-cutting thinking to driving a better customer experience.
“IT has fought to get rid of silos and drive governance around technology for decades,” he says. But as other departments acquire technology outside of IT, those silos begin to be built again and IT has to step in and make sure the company is not exposing itself to cybercrime issues. “If you lose the customer’s trust, you’re pretty much out of business,” says Litchford. “So, you have to go through the process of setting up agreements with every group acquiring their own IT, to assure that they have the goal of the overall business in mind.”
The role of CIO has expanded as more data is at risk
As security and governance have moved front and center, the role of the CIO has also expanded beyond its traditional roles, into providing education on security at every level and every corner of the organization. Companies doing an assessment of their existing data and its risk profile are realizing they have more data at risk than they previously thought, says Perry Kramer, vice president and practice lead at Boston Retail Partners, which found in its 2015 POS/Customer Engagement Benchmarking Survey that payment security is among CIOs top three priorities for 2016, with big topics of discussion focusing on encryption and tokenization. Major types of data at risk, he explains, include credit and debit account numbers, gift card numbers, personally identifiable information (also referred to as PII data), proprietary merchandise/product data and financial plans.
[Related: 9 ways mobile and social tech improves the retail shopping experience]
“Retailers literally have hundreds of thousands of access points, as well as a large portion of their staff that are not highly trained in the use of technology,” he says. “So they must make every effort possible to lock down peripherals and every risk point.” CIOs are challenged to fight for the budget and resources to maintain multiple layers of security, he adds, which goes hand-in-hand with allowing the business to operate with the flexibility and functions it needs to succeed.
Omnichannel creates both challenges and opportunities
The good news is, the CIO relationship with line-of-business colleagues has improved enormously at most retailers, including better communication, says Lawrie, which will be crucial to collaborating on issues such as making inventory data more accessible to customers and integrating channels. What is still challenging, however, is how to create the business case for new technologies when even limited deployment can have risks. “Some of them you have to try out to see if you have a business case at all,” he explains. “It’s hard to tell how it will affect conversion or average order value, for example, doing a pilot.”
In general, CIOs must continue to educate the key executives in their organization on the risks and their plans to address those risks, says Kramer, and they need to engage technology partners with the expertise in this rapidly changing area to reinforce and help execute those plans.
“As organizations continue to push for omnichannel capabilities, the CIO must be cognizant of how increases in data security may impact the ability to provide this type of functionality,” he says, adding that a true unified commerce architecture, if implemented correctly, can actually serve as an enabler of both enhanced information security and a seamless shopping experience. “It can minimize customer datastores, control the flow of payment data through a single gateway, and provide a single version of the truth as it relates to business rules.”