Top 3 Takeaways from the “Security in Retail: An Industry at a Crossroads” Webcast

Blog Post created by kelly_garofalo Employee on Feb 13, 2015

Retail is one of the industries hit hardest by the high-profile mega-breaches of late, so jane_m, product marketing manager at Rapid7, and wimremes, manager of strategic services at Rapid7 (read his intro blog here), came together to discuss the challenges and future of retail security, and how organizations need to think about the balance between compliance and focusing on attack prevention and detection. Read on to learn the top 3 takeaways from the "Security in Retail: An Industry at a Crossroads" webcast:


  1. EMV: the silver bullet for retail security? – The EMV (Europay Mastercard Visa) method, slow to be adopted in US because of the cost to transition, is proving to be a huge step in the right direction for retail security. It stops magnetic strip skimming fraud and enables online fraud prevention protocols, so it is a great improvement and could limit the damage from major breaches. However, it should only be used as one piece of the larger retail security infrastructure puzzle.
  2. Stay above the Security Poverty Line! – Ever heard the saying “you don’t have to run faster than the bear to get away, you just have to run faster than the guy next to you”? This same concept applies for security - organizations need to think about how to ensure they are not the path of least resistance to profit for attackers. Attackers are opportunistic and often driven by economic motivations, so maintaining a program that is costly to attack – and is more than just check box compliant – is a sure way to lower your risk. Compliance should be a byproduct of good security, not the other way around.
  3. Use Models to Build a Risk Driven Program – Jane and Wim talk through two possible approaches to switching from a compliance driven program to a risk driven program – the Security Maturity Approach, and the Threat Modelling Approach. Both methods are effective, depending on your needs: organizations primarily focused on risk may do better with the maturity level approach, while innovative organizations with a lot of in house development and system design would benefit more from the threat model approach.


View the on-demand webinar now to learn more about EMV, the Security Poverty Line, and the Security Maturity and Threat Modelling approaches to security.