At the recent (ISC)2 Governance Risk and Compliance event, the cybersecurity head of U.S. retailer Target put threats, risk management and third-party relationships under the spotlight.

The head of cyber risk at U.S. store giant Target has revealed how the grocery-to-homeware retailer approaches cybersecurity and risk.

Brenda Bjerke, senior director of cybersecurity at Target, where she leads cyber risk management globally, pointed to three key differentiators in her team’s approach to cyber risk excellence: threat; partnerships; and culture.

Speaking at the first (ISC)2 Governance Risk and Compliance (GRC) event , which is now available for on-demand replay, Bjerke explained how the organization places understanding threat at the heart of its approach to managing cyber risk.

Threat was central to the entire security risk context, alongside compliance and policy, she said. “By understanding threat, you're getting real time information that you can apply in the context of your business.”

Her organization relies on a “phenomenal threat intelligence team” to understand what's going on in the threat world and explain what’s most important in the threat context.

“And then we can apply that and say, ‘Well, how would that apply to the apps that we have, to the services that we have? What might be impacted based on those threats?’ And it helps us to be laser focused on the applicability because there's thousands of threats.”

Threat actors, like business, were constantly changing their tactics, she added, “It's important to understand what is most important in order to protect the business, that's unique to your unique situation.”

Security Beyond the Security Team

Looking beyond the security team she said, “We work to have a security minded culture mindset across the enterprise.”

This includes getting people to understand the nature of threats. Tactics include a “build your own phish program”. It also operates a Security Ninjas program, where people throughout the business such as engineers and developers are nominated by senior leaders to get monthly threat debriefs and other training which they can translate back to their teams.

She also highlighted the role of its business information security officer (BISO) team. “These are team members that reach out to other partner teams internally, that engage on high-risk engagements to make sure that … we know what kind of other high-risk projects are happening.”

It allows Bjerke and her team to ensure that the right high-risk controls are in place at an early stage, “So that we're implementing things right the first time.”

But Bjerke said her organization also looked to share its knowledge beyond the organization, through external partnerships and collaborations. “We like to do that because it helps all of us become better.”

This means working with security groups, and with specific retail and hospitality groups, and working hard to inspire, recruit and retain a diverse talent pipeline. It also contributes to open-source tooling and has open-sourced a skimming detection tool.

Changing The Culture

When it comes to culture, she said, “As we're working through policy and all the things that we're working and testing, there's thousands of controls, depending on what we're talking about.” To ensure cultural change and buy-in, it is really important to “tell the story of this information” in a way that people in the business can understand.

“Our job is to be this subject matter expert…so that we can understand the business and the controls in such a way that we can explain it so well that the developer understands it and can easily come to the conclusion of how to implement the control that we are asking them to apply.”

One key element is a project called “product intelligence” which gives products a risk score on their product security health, but also highlights actions developers and product owners can take to improve the score, “almost like a credit ranking.”

More broadly, the firm offers “required training just like everyone else” but looks to go beyond this with projects like a Cybersecurity Awareness Month, every October, which involves individual and team exercises, and has even included a cybersecurity escape room.

Ultimately, she said, both cybersecurity and business were incredibly fast-paced worlds. “So that communication and collaboration everywhere is just going to be critical to be excellent in that cyber risk space.”