‹ All episodes

Emerging Cybersecurity Risks

Managing Cyber Security Challenges in the Retail Space with Ganjar Imansantosa, VP and CISO at Tropical Smoothie Cafe

👉 Cybersecurity in a shared risk environment

👉 Customer data privacy at retail brands

👉 The role of legal teams in defining Cybersecurity strategies

SHARE EPISODE

Welcome to this episode of the Emerging Cyber Risk podcast, brought to you by Ignyte and Secure Robotics, where we share our expertise on cyber risk and AI to help you prepare for the risk management of emerging technologies. We are your hosts, Max Aulakh and Joel Yonts. Today’s guest is Ganjar Imansantosa, VP and CISO at Tropical Smoothie Cafe, a nationally franchised quick-service restaurant.

 

We discuss the challenges and solutions of implementing cybersecurity protocols in a shared risk environment between the brand and the franchisee. Ganjar covers multiple touchpoints, including managing cyber security in a shared risk environment, why the retail industry lags in adopting cybersecurity protocols, and maintaining customer data privacy at retail brands. He also covers the role played by legal teams in defining the cybersecurity strategy of an organization. We hope you enjoy this informative and fascinating episode!

Some of the topics discussed include:

  • Cybersecurity in a shared risk environment
  • Why the retail industry is falling behind other industries in adopting cybersecurity protocols
  • Customer data privacy at retail brands
  • The role of legal teams in defining Cybersecurity strategies

 

Ganjar Imansantosa Bio:

Ganjar Imansantosa is VP and CISO at Tropical Smoothie Cafe, a nationally franchised quick-service restaurant. He has over 25 years of experience leading information security teams at global brands like Ernst and Young, Arthur Anderson, and Dominos. As an information security leader, Ganjar assists enterprise technology leaders in defining and executing their information security strategies. He is equally passionate about safeguarding digital assets against emerging cyber threats while supporting the business in achieving its strategic goals. 

 

Get to Know Your Hosts:

Max Aulakh Bio:

Max is the CEO of Ignyte Assurance Platform and a Data Security and Compliance leader delivering DoD-tested security strategies and compliance that safeguard mission-critical IT operations. He has trained and excelled while working for the United States Air Force. He maintained and tested the InfoSec and ComSec functions of network hardware, software, and IT infrastructure for global unclassified and classified networks.

Max Aulakh on LinkedIn

Ignyte Assurance Platform Website

 

Joel Yonts Bio:

Joel is the CEO and Research Scientist at Secure Robotics and the Chief Research Officer and Strategist at Malicious Streams. Joel is a Security Strategist, innovator, advisor, and seasoned security executive with a passion for information security research. He has over 25 years of diverse Information Technology experience with an emphasis on Cybersecurity. Joel is also an accomplished speaker, writer, and software developer with research interests in enterprise security, digital forensics, artificial intelligence, and robotic & IoT systems.

Joel Yonts on LinkedIn

Secure Robotics Website

Malicious Streams Website

 

 

Max – 00:00:03: Welcome to Emerging Cyber Risk, a podcast by Ignyte and Secure Robotics. We share our expertise on cyber risk and artificial intelligence to help you prepare for risk management of emerging technologies. We’re your hosts, Max Aulakh 

 

Joel – 00:00:18: and Joel Yonts. Join us as we dive into the development of AI, evolution in cybersecurity, and other topics driving change in the cyber risk outlook.

 

Max – 00:00:27: Thank you everyone for joining us on this episode of the Emerging Cyber Risk Podcast. This is Max and Joel. Today joining us is Ganjar Imansantosa. Ganjar is a good friend of mine. He’s a chief security officer, council member at the National Retail Federation. He’s also served as an advisory member, as well as has a ton of experience being a cyber director. So, Ganjar, with that, I wanna do thank you and welcome to the show. Tell us a little bit about yourself and your current role for those audiences that are not familiar with you. So, share a little bit about your background.

 

Ganjar – 00:01:02: Thanks Max. Thanks Joel. So, I am currently the Chief Information Security Officer at one of the quick service restaurant-company here in the US based out of Georgia. We have about more than 1000 retail locations all over the US with a franchise model. So relatively new in this role for this company. A couple of weeks ago, I just celebrated my first anniversary with them. So, we’re trying to build a good information security program right as you may know a lot of companies or restaurants are moving to the digital channel, so that’s what we’re focusing on. And prior to that, I was with another restaurant company, and spent four years there in the Midwest area. So basically, about 10 to 15 years of my cyber security experience has been with the retail organizations. And prior to that, I was with a security consulting company in the US. So, we’re serving several clients in private industries, private organizations, helping them with their information security program, information security assurance, audit, and attestation.

 

Max – 00:02:13: Awesome. Well, Ganjar, thank you so much for being here, you certainly got a lot of experience and today, what we want to learn about is really some of the challenges in the retail industry. The business model itself and you kind of hit on this already, you know what’s happening within the retail in terms of digitization of everything. But to kind of start with, can you help us understand like what’s the retail business model, right? Thousand locations of let’s say retail. How does that work? Do you typically see that they’re all owned by a single entity or the independent business owners? How does that differ when it comes to the retail industry, just the business model itself?

 

Ganjar – 00:02:54: Yeah, I think that’s a good question to level set, right? I think the simplest model would be, you look at this retail organization and they have a corporate store, right? You know, a couple hundred or even thousands of corporate stores they all operated by them. They have full control over the operations of the corporate stores, the technology, and even the security of those locations, right? And there’s a different model where the company owns the brand and they may have a few corporate stores or locations, but maybe 99% or 80% of the retail locations are franchised to other individuals or other entities. This is the franchisee model for sure, as you know, and there are some different nuances when it comes to managing the security aspect of this kind of model.

 

Joel – 00:03:49: A lot more things are optional, right?

 

Ganjar – 00:03:51: A lot of things are optional and a lot of things that you cannot require. You know, there’s certain things that are regulated through the master franchise agreements and whatnot.

 

Joel – 00:04:02: Absolutely.

 

Max – 00:04:03: Joel, I know you’ve got some retail experience too. I mean, this probably makes for a very interesting challenge where you have small independent business owners, right? And then you’ve got a master agreement of some sort. But the brand can take a hit, even though it might be independent, like everybody knows. Wendy’s, everybody knows Panera, everybody knows Amazon. Regardless of how many independent stores they might have. But it could be a very interesting challenge when it comes to risk management.

 

Joel – 00:04:32: Absolutely. And one of the things that I’m thinking about, because I mean, when you talk about retail, it’s not cash rich generally, and there’s always a backlog of stuff to do and it’s really just kind of working through it. But when we go out to the edge, and we think about what’s kind of new, and what new risks are popping up, when I think about privacy, you know, privacy is getting us so much buzz and so much regulation. And I would imagine that when you start looking at these large privacy regulations on a national or international level, trying to separate your responsibility from that of the franchise or whoever is running these stores, I imagine that can be really tricky. How do you navigate through that?

 

Ganjar – 00:05:11: Yeah. That’s a great question, Joel. I know for sure that my peers are trying to answer the same question that you just asked me. But Max is right. It’s about the brand. You name all the great brands out there that we know. McDonald’s, Domino’s are the Burger King. You know the brand. You don’t know, oh, it’s Joe Schmoe who runs that store in Florida, you don’t care about that as a customer, all you care about is just the brand. So, when there’s a data breach, then you go after the brand. You don’t go after the franchisee. So that’s the biggest problem or challenge that many of these franchise organizations are trying to address. They have to strike a balance between not trying to over control the franchisees, but get them to understand that, hey, we’re doing this to collectively protect our livelihood. Because if the brand is damaged, no one will go to your cafe. No one will go to your restaurant. Because within this together, one franchisee got hurt in Minnesota the reputation is all damaged for everyone in the US. So, I think we always talk about how the security professionals are maturing in their understanding of information security. And then we move on to the leadership getting a better understanding of what security is about. And now we’re talking about the corporate board level. They’re getting a better understanding of what type of risks are. Well, on the franchisee, on the retail side, we’re also making our ways with the franchisees themselves, these small business owners, if you will. These are all new concepts to them like five years ago. Like, why do you have to care about PCI? And we tell them, you can get fined. OK, how much is the fine? Well, not only that, we can get data breaches and people might stop coming to your stores using the app, it’s like making small progress in these conversations with them.

 

Max – 00:07:01: Yeah, I can imagine. My dad owned a small business, a gas station, right? And let’s say it’s a 7-Eleven or whatever. I can’t imagine, because a lot of these small business owners sometimes have a grass with technology, but most of the time they don’t, they’re just trying to get their job done and figure out how to live another day. Because Joel, you mentioned it’s not a cash rich position, right? The other interesting thing here, Ganjar, Google has a model. In the cloud, we call these things a shared services model but they kind of take a different tone to it. They call it the shared fate model. I think that’s more applicable to what you’re doing in franchisees and small businesses, because it truly is a shared fate because yes, if the brand gets hurt, nobody’s going to want to go through that drive-through, right? Nobody wants to put their credit card into that. So a very interesting problem. I don’t quite have the answer to it. Have you had the opportunity to talk to some of the smaller businesses? In terms of like, are they even open to security, right? I’m always curious about the pressure or care or lack thereof from the other side. How do they feel about this, right? Because they have to do something now.

 

Ganjar – 00:08:11: Yeah, so I think this is where a risk-based approach or so being pragmatic will pay a lot of dividends, right? When you look at the huge franchise model with, I don’t know, hundreds of individual franchisees. Not to make them into passes. We’ll have a different response when we come back, like when we talk about privacy here in the US, and we try to bring that same concept to a mass franchise in Malaysia, for example, they might get less or they might get more, right? So, you have to be sensitive to their perspective. But my theme is mantra, is always go back to what you think needs to be secure. So, you cannot apply the same approach, the same level of requirements and rigor to just about everyone who runs your brand like a franchisee who owns one restaurant or one cafe definitely have a lower attack surface, right? A lower attack footprint than a franchisee who owns like 200 locations. I think the most important thing is for you to start having conversations with these different individuals. And just like anything we’re doing in security awareness, you take your win. If you can move the needle a little bit every day then that’s a win, right? It’s a continuous journey, basically.

 

Joel – 00:09:34: Yeah, I was getting ready to say that when I hear you talking, I’ve been in your seat so many times, and it’s a really challenging discussion, listening and making sure that first you understand what the problems they’re trying to solve. But the other thing, and I was going to see if you’ve had this experience, is that the IT juggernaut of large enterprises is like a battleship. I mean, these things are massive programs and technologies, and the vendor solutions are these monolithic solutions, and they can really crush these small entities. So, it’s not just, I imagine, not just what you’re asking, but how and so have you been able to tap into some of the new SaaS offerings that follow a different model to help these people along, or have you had success with some of these larger battleship style programs?

 

Ganjar – 00:10:18: So, I think it’s a little bit of both, actually, I guess for me and my team, we just have to be very open to the opportunities that come up. In some cases, there will be new startup companies that offer a unique solution that would fit our franchise model. The one thing about franchisee organizations is they always have a culture. I’ve been in a couple of large franchises in the US. They’re very proud of their culture, and it’s very fanatical, let’s just put it that way. So, if you go with a service provider that is very rigid and they basically are telling the customer to just follow our way, change your process. That won’t work, right? So, in that case, as working with a startup company was more flexible, but have like, however, there are very classic inherent risks that many retailers, many franchise organizations are dealing with. And for those kinds of things, most likely it’s best for you to go with the known brands, right, it’s monolithic, it’s heavy, but you know what? That’s the only option that you have.

 

Joel – 00:11:33: That makes so much sense.

 

Max – 00:11:35: Yeah, I think, Ganjar, you mentioned earlier, right, some of the digital transformation that really gets into some of these, whether they’re battleship-like programs like Joel was talking about so I’m gonna steal that word, Joel, right? So, some digital transformation, everybody’s talking about it. And then of course there are emerging players that are much more agile. What kind of changes are you seeing, Ganjar, when it comes to the IT side of the house? What are some of the innovative capabilities that are coming out within that retail space that are giving the businesses an edge, right? That might be creating some risk for you, but at the same time, it’s really helping the retail business grow.

 

Ganjar – 00:12:15: Yeah, so this is my opinion. I think when we look at you know, all the other different industries in the US, especially on the security aspect of it, Usually, retail is never on the leading front of security technology adoption, right? We’re always on the tail end. We always see other industries adopt more advanced new solutions. But people talk about Zero Trust five years ago, we’re talking about it today, for example, right? That is a result of many, many different things, you know, they talk about razor-thin margin, funding, right, it all boils down to that kind of thing. I think in some ways that’s an advantage for us, for me especially, because we never have to be the guinea pig for adopting new technology. So, for today, I think where many technology companies have dipped their toes in or have basically dive into more advanced digital solutions and platforms, most retail companies have only tested the water during the pandemic. I’m guessing if you look at the entire population of retail companies in the US, probably five years ago, I would say maybe only 20% are thinking about adopting digital channels, full-blown e-commerce, building a website or a mobile app and all of that. And then the pandemic happened in 2019, 2020. All of a sudden, all of those things got accelerated, right? And now we have, you know, these are all the organizations, building the mobile app, the infrastructure you know, buy online, pick up the store and a thing. So, I guess we’re still slowly adapting those new things where for other industries, it’s considered like, you know, yesterday, right?

 

Max – 00:14:00: Yeah. I don’t know, Joel, if you feel like this, but Ganjar, when I hear you say, you know, you guys are maybe lagging. The grass always looks greener on the other side, man. So, you know.

 

Joel – 00:14:13: I always say these new solutions, our technology is innovating faster than ever, but it’s not getting any simpler. It’s getting more and more layers. And I don’t know how people can keep up with it, you know, without a full heavy focus on the changes in the technology space. I don’t know how, you know, you can even communicate this to some of the people that are running your stores in a meaningful way so you can have a good dialogue. That’s got to be a really challenging and escalating challenge, I should say.

 

Max – 00:14:40: Yeah. And you know, Ganjar, when you were talking what kind of came to my mind is like, all right, retail COVID happened, then they accelerated the change. And now, you know, after COVID or post COVID, post-ish COVID, right, depending on how people look at it. Yeah, I would think that a lot of people are ramping up and maybe they are taking a little bit of a forward leaning posture. Right? How do we quickly get some digital transformation going and then at the same time, you know, security still becomes kind of a tail end concern, right? Let’s just get the app working. Let’s just get it up and running. And then we’ll see what happens, right? Because the COVID seemed to be a bigger business risk, like the whole shutdown. But Ganjar, have you seen an uptick in retail in general? Since COVID in terms of digital activity and things like that.

 

Ganjar – 00:15:34: Yeah, so last year I spoke with several companies. Right. You know, about what they’re trying to do with their technology platform, technology offering to their consumers and what they’re trying to do to secure those digital channels, right? There’s definitely an optic max for sure, based on what I’m seeing, this is just anecdotal, I don’t have stats to back that up. But I would say five out of six companies that I talked with last year, all of them were trying to adopt something, whether it’s to create a virtual shopping experience, where people can buy furniture without having to go to the store,touch the sofa texture and all those things, but just use their mobile phone to visualize how the sofa would fit in their living room, for example, right? And another company is trying to build a very advanced mobile app Want to unlock their customer data. So, they can do targeted marketing, upsell, social media, Google Pixel, all of those things, right? And you’re right. I think a lot of times for the retail industry, security is an epitope. And it’s not always built into, you know, these projects, these digital initiatives that they’re doing. At least they’re thinking about security, although it’s a little bit too late, it’s not by design. But the good thing is they now have someone come in to make sure that everything is buttoned up there are no glaring open gaps that can be exploited by attackers to steal customer data.

 

Joel – 00:17:06: So, I mean, when we’re talking about the mobile movement, you know, I’m looking at the younger generation and they’re going virtual. And so, do you see your chain going to be delivering in virtual worlds anytime soon? You’re going to have a virtual presence? Is that on the forefront? Can you speak about that?

 

Ganjar – 00:17:22: Yeah, I was at the NRF a couple of months ago, right? The National Retail Federation big show. So, this is the biggest retail convention in the world, basically held in New York every year. And they always showcase different kinds of technology. And I kid you not, it’s really mind blowing, it’s like bringing the future in front of you. All the things that maybe five or 10 years ago, when you watch Tom Cruise movies, the minority reports, like, oh, that’s so cool, right? And all of a sudden you see it. So, this is something like that. It’s like shopping virtually with that Google thing that you-

 

Max – 00:18:00: Yeah, the VR, the Oculus, right?

 

Ganjar – 00:18:02: Right, Oculus, thank you. So, they demonstrated that, right? They have people wearing the Oculus and they just load a software application and they can just virtually walk down the aisle of the supermarket and grab stuff and put it in their shopping cart, a virtual shopping cart. So, the customer will have their own experience, almost like a real experience without having to step out of their home, right? So, they’re testing those things out, just like any innovation, maybe one out of 10 things will materialize soon, right? And the other nine would die. But all these things are exciting. And now, for my organization, when we talk to our franchisees, we have people who sit in the so-called technology committee. So, these are the individuals, part of the franchise group, who will help us define the technology roadmap, the investment, and so on and so forth. They’re already asking for those technologies. They want to know, like, hey, what do you think about this? What do you think about that? So retail is quite exciting at this point where there is a lot of potential to be unlocked through technology. And there is going to be a huge, huge homework for InfoSec to protect all these innovations.

 

Joel – 00:19:15: Oh, absolutely. New layers to transmit credit cards. I had the picture in my mind of hackers showing up in a virtual store and hacking a virtual pen pad. And I mean, I don’t know. I mean, it gets crazy.

 

Max – 00:19:29: Yeah, it’s like the matrix, right? Exactly. Yeah, I think the younger generation would prefer a virtual first experience, nothing real, text me, I’ll order it. And then if I want to go live somewhere, I don’t have any experience. I’ll put on my glasses, but I’m still not going to walk outside and actually order.

 

Joel – 00:19:48: Yeah, no, it’s so funny. You know, when I hear that, you know, yeah, I hear you talking, you’ve got and that’s interesting. And I think this is maybe, you know, the sign of the times, you know, you’re getting asked for that. And so, some of these flashy things, I would imagine people are asking you for it and a lot of corporations are like, oh, I don’t let’s let’s go figure out how to do this. Not saying yours, I’m sure you’ve got a plan. But most corporations are like, they’re taking all these requests for virtual and all those, other robotics automation. And I’m like, how am I going to do this? Because people are asking for it, which is different, right? It’s a different paradigm than what it used to be.

 

Ganjar – 00:20:24: Right, I think people are more, or companies, brands are more sensitive to the change of customer behavior, right? In that period, we’re seeing a changing generation, now, it’s a bit millennial, a bit of proportional or consumer base, right? It depends on your brand for sure. But they want different things, right? They care about different things. And with all these analytics, unlocking the data, they know more about the consumer behavior. So, they know that consumers want less friction. They know that the consumer base wants more, you know, value targeted marketing, they don’t want all the nonsense, right? If you want to market to me, market to me the right thing that I care about, right? And they want speed, they want ease. So, I think that’s what’s driving all these things, but not all retailers have like that. They’re still very legacy, traditional brick and mortar retail brands. And there’s nothing wrong with that, right? That’s just their model and they cater to the older generation, maybe who is more comfortable with paying with cash or even check, right? We still see that you try to introduce the QR code and then it’s like, oh, I don’t know how to do this. Then you’ll create friction for those, a kind of consumer base. So, I think you have, just have to be very sensitive and you have to understand what the consumer wants.

 

Max – 00:21:42: Yeah. I think Ganjar you, you know, trying to distill your consumers, right? Because some details I know we worked with. I’ve worked with a few where it’s almost like they’re transitioning from one generation to the next. And they’re trying to figure out what’s the right thing, right? In order to serve. So, you don’t create two different kinds of omni-channel strategies that never really work, right? Sometimes it works, sometimes it doesn’t. But Ganjar, you kind of mentioned something of interest. You said some sort of a technology committee. So, do you see that kind of a typical practice where you’re getting together with franchisees? And they’re helping you figure this out in terms of what the consumers want, or are you just relying on analytics only? What are some ways? Where you’re getting what they want in terms of. Capabilities. And also, the trade off, right? Because the more-easier it gets, basically, that they’ve got to give up. Private information to make their own life easier, they’ve got to incur some. You know, hey, I’ve got to give you my private information, right, in order to make that experience seamless o,r frictionless, as you put it, right? So, what are some ways where you guys are gathering this information from the consumer or from the franchisee owners?

 

Ganjar – 00:22:53: The pure franchise organizations that I’ve been with having these committees, I would say it’s a gold standard because the franchisees are the ones who deal with the consumer. Correctly. Right? The proper people, the brand they provide, you know, they build you know, the platform but not as close with the consumer as the franchisee So, it’s important to hear what they say about how we can engage our customer in a better way first and foremost in terms of the data when you when you say data do you mean like we collect

 

Max – 00:23:27: Yeah, like analytics because that might be coming in directly from the consumer Like how they’re visiting the website and stuff like that. So, you have data points there, but then you also have the actual franchisee owners that are interacting live with the actual consumer, right?

 

Ganjar – 00:23:43: Right, right. I think there are different ways to address that I know some organizations prefer to have a centralized customer data platform Right? So, it’s taken away quote unquote, from the franchisees to the franchisor. And the argument is, you would have good visibility of anyone who is interacting with the brand, right? And you, the franchisee, can tap into the database to see how the consumer engages in your geographic area for example, right? There are some brands that manage data in a decentralized way. There are reasons for that as well. But I think the bottom line behind this question is now we’re entering into this uncharted territory of data privacy. Yeah. In the past, retailers didn’t have to deal with it. Ten years ago, people cared about target breach and the retailers. We think that as long as we protect our data card data, we’re good. So, a lot of people went in with end-to-end encryption and tokenization, right? Just devalue the data and we’re good now. Well, now we want to unlock this customer data, right? We want to unlock their shopping behavior, their geolocation, their Facebook likes, what sites they visit, and we want to even unlock the non-loyalty customer data. Right? So Max shops at Best Buy, for example, but you’re not their loyalty customer. And Best Buy might still want to know what you like from their website, right? So, they want to build your profile. And it’s all legit because that’s the way we do business. But how do we make sure that we’re not violating any privacy requirement? How do you make sure that for those data we collect, we anonymize them while still being able to attribute them to specific individuals so we can provide targeted marketing? So, security is always involved in those conversations. You know, it’s not like the kind of problems where you have the solution ready out of the box, right? You have to, you know, look at the problem, talk with the business, understand what they’re trying to do and look at different options that are available out there that you can combine, mix and provide to the business to allow them to grow their business without compromising security or privacy.

 

Max – 00:26:02: Yeah, man, that’s a big challenge, right? I kind of recall earlier you mentioned Malaysia. Right. So now when you add localization to it with different countries in terms of what it means to have privacy in Europe, in Asia, wherever your brand is. How do you localize it? You’re absolutely right. There’s really not a good solution you kind of have to look at. What is the business eating and what is the most pragmatic way to press forward? Because I think harmonizing, you know, I haven’t seen, Joel, I don’t know if you’ve seen any kind of harmonization effort of privacy. I know NIST tried to do something, but I personally haven’t seen anything nationally, but you know, forget internationally, right, but even nationally, I haven’t even seen a straight definition of privacy.

 

Joel – 00:26:48: Right. Well, privacy, in my opinion, is a heavy legalist on my opinion, it is reality. It’s a heavy legal thing. So, let’s get a whole bunch of legal experts, some regulators and government entities. I mean, it’s surprising they haven’t come to an agreement by now. I don’t think we’re going to have harmonization anytime soon in that space. And so, it leaves it all this translation work up to the individual. That’s what I’m seeing is that I know you do a lot of work in that Max. Is that what you’re seeing as well?

 

Max – 00:27:17: Yeah. Yeah. Like I remember 10 years ago, nobody would care for an IP address 10 to 15 years ago as private information. But as Ganjar pointed out, right, if that’s how you’re building the profile, maybe that’s a one indicator of a profile is an IP address though as cyber professionals, we know it can be spooked. But when you add it all up, the likes and the visits on websites, right, you start to put together somebody’s profile, who knows who’s this. But yeah, I haven’t seen a consistent definition. Ganjar, when you guys do this, have you seen a consistent definition or a definition that works for a retailer? When it comes to, you know, this is a profile, hey, this information, because it’s a profile, it has some privacy obligations to it.

 

Ganjar – 00:28:08: The practical answer right now, I think a lot of people are confused, right? We always defer to our privacy lawyers to tell us what they think about these things. So, whenever we try to embark on this journey to unlock customer data. We always consult with a privacy lawyer. What do you think it means? And even for the privacy lawyers, it could be challenging to, because as you know, right, CPRA will come into effect mid-year this year in June, I think, right. And I think Virginia is going to another privacy law. So, it’s spawning everywhere and still, we don’t have this one de facto privacy law at the federal level. So, I don’t have a team in InfoSec who would be knowledgeable enough and have enough bandwidth to track all these different changes to make sure that the way we collect, transmit, store, encrypt our data match with all these different, you know, regulations, right? So, I don’t know how to answer that question, Max. I think it’s a growing problem. It’s not getting better. It’s becoming more complicated.

 

Joel – 00:29:13: I was just going to say one of the things that I do is probably unfair, but I do a sort of a punt. And I was going to say, if this is something that you approach, cybersecurity builds data security tools. And we can classify data. We can protect it. We can track its movement. All kinds of things that we can do with data and controls and so forth. But how those controls apply, well, that’s up to the legal team to figure out. So, kind of punning it over. That’s my tactic. Have you done it? I mean, is that the way you’re dividing the labor?

 

Max – 00:29:45: Ganjar, before you answer that, Joel, it sounds like you’re either going to punt it to the IT or legal team.

 

Joel – 00:29:51: Yeah, it’s like, I’m just hoping somebody’s gonna catch it. No, I’ll make sure somebody does. Okay, I will say I’ll go that far.

 

Max – 00:29:58: Yeah, that’s a good question because there has to be a heavy hand of legality, right? Kind of sets the tone. We could know the answer, but it requires all of this interpretation on what they’re comfortable with. But yeah, Ganjar, how involved is legal in these, you know, privacy, defining privacy controls and all of these kinds of things?

 

Ganjar – 00:30:18: Yeah, I think the legal function in these organizations have also matured a lot over the last several years in the infosec space, right? They’re now more involved in these conversations. Risk mitigation, they’re a good partner within FOSAC in a lot of cases, right, in many different organizations in retail, when it comes to working on your cyber insurance strategy, right, communicating with the board what that residual risk and the mitigating strategy is, and also the privacy aspect of it, right. So, I think the ideal case in a good organization, you would have a good debate, a healthy debate between the CSO and the general council when they talk about prioritizing data protection. Which data should we protect? Right. Because it’s just a lot. And you kind of try to boil the ocean, it’s just not possible. You gotta go with a very methodical justifiable approach that you want to go after that count jewel and you’ll protect it. And if something were to happen with other things, me personally, I would prefer to be in a position where I can say, we deliberately invest on protecting that count jewel and we know that we are taking some risk in these other things because the risk is more acceptable or likelihood is lower. But you just cannot protect everything, especially with these things that we just talked about, the proliferation of digital data, digital channels and all that stuff, unless they have unlimited information to be budgeted.

 

Max – 00:31:50: Right. Which, yeah, even the government agencies, right? Nobody has that, right? Nobody has anything like that. Yeah, I think that’s a key message, right? Like you cannot protect everything. And like you said, Ganjar, we have to make deliberate and intentional choices on what we can take risk on and what we cannot take risk on. I think that’s like a really lost concept when it comes to cybersecurity.

 

Joel – 00:32:14: You know, when I think about this, I know a lot of people’s idea and approach to dealing with this, especially a lot of the mandates to leave data in region, is a technology model that’s distributed where you leave the data where it is, and you process it and leave it local. And that works in a lot of ways. But you know, Max, you and I have had a lot of conversations around AI and ML. One of the ways that you get strong models is lots of data. It is the most data hungry thing that we’ve ever experienced in IT. And you have to have massive data models. So, this distributed model means that you can’t build large models across all of your data and still satisfy privacy. I see that being a bigger issue. There’s some ways to distribute across. But I don’t know. I mean, has your company kind of moved down the path to thinking about building some ML models and dealt with this distributed data yet?

 

Max – 00:33:10: I have heard people talk about it, like, you know, a concept that comes to mind, I don’t even know if this is possible. But train locally, report globally. I don’t know if that can actually happen. Right? Like we, technologists like to think of concepts to fit our understanding of the current law and the best security practice, which might be to leave the data there, do the training there, but I just want to know the sentiment of that information, whatever, right? But I don’t know. I know the Department of Defense is struggling with that because you have to have large training data sets and those kinds of things. But I compare it to the problem we have in the US, which is you’ve got 50 jurisdictions, 50 states, and there’s nothing that harmonizes it, right? And we’re moving things across each boundary, so but yeah, I don’t know, Ganjar, have you guys seen, have you guys invested into machine learning? And these kinds of things when it comes to large language models or are you guys moving in that direction where you have to collect data from all jurisdictions?

 

Ganjar – 00:34:11: Yeah, I don’t know about all jurisdictions, but definitely, you know, adapting machine learning and having to secure intelligence, and gaining a lot from the detail space like we discussed earlier before, right?  I don’t know where we are compared to other sectors. I think detail is still, again, dipping their toes here. There’s a lot of low-hanging fruits that they can unlock. I know some retail organizations have invested heavily on building a large AI team to do better targeted marketing, to build better operating models, for their café, for their hotel, for their store. And as far as I can remember, it’s all heavy centralized data but I have, you know, located at the floor-walk. That’s what I see. 

 

Joel – 00:35:00: That makes sense. And I imagine the other area that we may see it apply is not necessarily in the consumer experience, which we’ve seen a lot of different things about. But in retail, about cost saving and managing the supply chain, talk about COVID effects. Supply chain has been a mess and the cost associated with it. So, a lot of the back-end processes can really benefit from optimization through AI. So, I didn’t know if that was another area that was either in your company or in your purview being explored through ML.

 

Ganjar – 00:35:29: Yeah, so there are some projects in the past where some companies were exploring. I think it’s widely adopted now, right? The conversation with AI. This is very helpful in the detail space, when you pick up the phone instead of just the traditional IVR. That’s why if you want to order a coke, or you want to order a french fries, now it’s more conversational instead of using the detail space. I know some big brands that you must have heard of. They’re adopting this more AI-based customer engagement platform for the drive-thru. So, when you drive-thru their kiosk, they will probably recognize you from the mobile device that you’re within the vicinity of the location. And the menu that will be displayed is catered towards your last order, right? And the conversation will be geared towards preference, more of that. I think it’ll be an exciting few years for retail for sure in the next five years.

 

Joel – 00:36:28: So, I mean, I got to say, and that one of the things I’m laughing about is one of the problems with LLMs now is hallucinations. It’s got a whole new term. It’s when an AI is so sure about a wrong answer and conveys it with confidence. You pull up to your drive-thru and you’ve got an AI that’s tripping while you’re taking your order. That would be an interesting thing to work through from a security or operations perspective, I would imagine.

 

Ganjar – 00:36:53: Yes, for sure.

 

Max – 00:36:54: Yeah, I mean. You mix up the food the wrong way because your AI is hallucinating. I can imagine a ticket for that, right?

 

Joel – 00:37:02: Problem, I think.

 

Max – 00:37:05: Awesome. Well, Ganjar, I know we scheduled you in for a little bit of time. I had one last question for you before we let you go. When it comes to cybersecurity, right? Where do you see our field going, right? From your perspective as a director and an advisor, where do you see the shift happening in the next couple of years when it comes to cyber?

 

Ganjar – 00:37:24: I never liked the question around vision it’s hyper security max because it’s really hard to tell and you know, I tend to go wrong with my predictions But I’ll just say what I think is important for my organization and for my industry I think we need to stay more focused on making sure that we have good security hygiene We can talk all day long about you know quantum computing and machine learning and utilizing chat GPT to make team more efficient, you know Make the threat hunter more effective. But in reality, we’re not patching the vulnerability that was discussed 60 days ago, right? So, I’m a very pragmatic person in that regard I would suggest my colleagues and my peers to go down to the basics and make sure that you have your walls raised and your boat widened right as simple as that and by having a good basis, you can allow your business to grow and you can build the right security stack on top of it. But if you don’t have the base foundation, forget about the vision five years from now.

 

Joel – 00:38:33: Man, there’s so many things in that. Max, we could keep this going for a couple hours, just pulling on all those, I think.

 

Ganjar – 00:38:39: Why, you disagree?

 

Joel – 00:38:41: No, I agree completely. There’s just a lot to be said.

 

Max – 00:38:45: There is, there is. Well, with that Ganjar, we totally agree with you. There’s a lot of buzz. But not enough fundamental work is happening, right? When we’re still having issues around the same things, right? Patch cycle. And yet at the same time, we’re worried about machine learning, software bill of material, more problems emerging. So, we definitely agree with you and maybe we will have you back on the show. So, we appreciate you coming on the show and just kind of helping us understand the retail space and the security of it. But yeah, we just wanted to thank you for that.

 

Ganjar – 00:39:17: Yeah, no, thank you, Max. Thank you, Joel, it’s been a pleasure.

 

Max – 00:39:22: Emerging Cyber Risk is brought to you by Ignyte and Secure Robotics. To find out more about Ignyte and Secure Robotics, visit ignyteplatform.com or securerobotics.ai.

 

Joel – 00:39:33: Make sure to search for Cyber in Apple Podcasts, Spotify, and Google Podcasts, or anywhere else podcasts are found. And make sure to click Subscribe so you don’t miss any future episodes. On behalf of the team here at Ignyte and Secure Robotics, thanks for listening.

 

Ignyte Platform becomes a third-party assessment organization (3PAO), now listed on the FedRAMP Marketplace - Read More

X