Published on the 19/11/2024 | Written by Heather Wright
Four pillars to security…
Richard Harrison might head up cybersecurity for Foodstuffs South Island, but his focus is very much on the company’s bold overarching purpose of feeding New Zealand’s South Island.
He’s clear that cybersecurity has a key role to play in that goal – and across the business – and must be an enabler, rather than a blocker.
“Too many organisations think cybersecurity is a technology problem and needs to be managed by the IT team.”
“There are a few things we want to focus on, but business resiliency is one of them and the investments we have made in cybersecurity, particularly over the last two years, really have been designed to ensure that business continuity, making sure we protect critical assets and can enable secure resilient digital transformation in order to achieve that purpose of feeding the South Island,” Harrison, who is CISO head of cyber and technology risk for the retailer, told iStart.
“We want to make sure our strategy is very aligned to the business strategy and delivers on that purpose.”
Integrating cybersecurity into digital strategies is essential now for any organisation to drive both business resiliency and sustainable growth, he says. That in turn helps build trust among customers, consumers and key stakeholders the cybersecurity team works with.
“Organisations now are increasingly reliant on technology and digital solutions, whether for optimising supply chains or enhancing customer engagement or increasingly now leveraging AI driven insights. Cyber security is a foundational element to all of that now, it supports those things. So being secure by design is a critical capability that we are very much focused on.”
But raising awareness of threats and getting people to think security first remains a challenge, he says.
“That for me is the approach – and building trust. The security team in any organisation needs to be a trusted advisor, we need to go with a customer centric mindset, we need to understand that people are just trying to do their jobs and they’re trying to do their jobs in the most innovative, fastest ways possible to get the job done, keep the business running, get goods out the door, get goods into the stores.
“Our job is not to get in the way. We want them to come to us if they have a problem or see something happening. Our job is to advise, point out risks and look at how we can manage those risks as efficiently as possible,” he says.
Harrison was speaking to iStart following Foodstuffs South Island’s recent win in Trend Micro’s 2024 Customer Awards, where the Kiwi company scooped up a Visionary Award, alongside the United States’ Northeast Georgia Health System and hospitality chain, Accor.
He says the cybersecurity team is focused on four pillars of culture, architecture – making sure security is built into the architecture of solutions, almost on a pattern-based approach so it can be reused – processes and collaboration to drive adoption across the organisation.
Harrison has been focusing on trying to get cybersecurity to ‘shift left’ and have security much more up front in the thinking of developers and engineers right from the start.
“Rather than treat cybersecurity as an afterthought our aim is to take a much more risk-based approach to things and build it in from the start. So making sure when we are developing new products and services or enhancing existing one, that those teams know to come and talk to us first, that we help them do a bit of a risk assessment, look at what the threats might be and then build a resilient solution into the design and then test it at the end when we build it,” he says.
“Too many organisations, at every level of the organisation think cybersecurity is something that is a technology problem and needs to be managed by the IT team. Half the battle is making people understand that it is a significant business risk that can compromise achievement of strategic objectives.”
Leveraging the best technologies the company can afford is another key aspect, with the company looking to start to make use of things such as AI-driven threat detection to ‘take the pain away from people as much as possible’.
Foodstuffs South Island, which has around 200 Pak’nSave, New World, Four Square, Raeward Fresh, On the Spot, Trents and Liquorland stores across the South Island, has taken a platform-based approach to cybersecurity.
Harrison says he’s tried to simplify and reduce the number of tools in the environment.
Trend Micro sits at the core of the cybersecurity capability, with other tools around it. Recorded Future is used for threat intelligence capabilities, and the company takes feeds from the Retail and Hospitality ISAC – a member organisation – into its threat intelligence.
Tools are also used to simulate attacks and ‘constantly’ test controls within the environment.
The company has a goal of automating as much as it can, particularly low-level activity which can divert people away from the more proactive activities.
Playbooks are being built out around how threats and vulnerabilities are dealt with, to provide consistency of approach, and Harrison is keen to automate each step of the playbooks as far as possible to free up time and capacity for more proactive activities, taking pressure off the security teams and avoiding the need to recruit more people, which adds to costs.
“In many ways the technology is only a foundational piece – key bits now are the people and processes and making sure we can automate as much as we possibly can, while also being proactive and checking for vulnerabilities on a daily basis, seeing whether they apply to us, whether we need to pay attention to them and then acting quickly to patch or remediate those vulnerabilities as fast as we can.”
Key to all of that is observability and visibility, enabling the organisation to see what is going on in its environment in relation to critical assets.
“That requires us to engage and collaborate with the IT teams to speed up delivery and extend the security capability beyond the security team,” Harrison says.
“We want to make sure we are engaging and working with the operational IT teams on a daily basis to investigate and respond to things and make sure we have the best posture we possibly can.”
Foodstuffs South Island has been on a cloud journey in recent years – earlier this year it went live on SAP S/4Hana Rise.
Harrison admits cloud adds its own challenges, noting that one of the biggest challenges for IT teams is the increasing complexity of environments and increasing connectivity, and staying on top of it all with the same number of people who would have traditionally run an on-premise environment.
“It comes back to observability and visibility into the environment. You need to have, as much as possible, a single pane of glass view of what is going on in the environment from a security point of view, whether it is a cloud environment or a data centre or on premise data centre.”
For now, Foodstuffs South Island is relying on linking together multiple offerings to get that visibility and observability, but Harrison, who was speaking to iStart while on a security study tour in the United States, is eyeing up next generation SIEM, which serves as a unified data platform, applying modern intelligence and analytics to security data in real time.
“We are not there yet, but increasingly those platform providers will get there. The more we can rationalise and consolidate data into a single place and then interrogate through a single pane of glass, the more effective and efficient you are, the better able you are to correlate activity across the environment and determine if something is a threat or not.”
