How Target’s CISO balances customer security and customer experience

Protecting consumers and their data while providing a good shopping experience has always been a challenge for retailers. Security measures such as multifactor authentication or challenge questions create friction in the buying process, but a breach that results in the loss of sensitive customer data could have a much bigger business impact than a few abandoned shopping carts.

Case in point: The 2013 data breach into Target’s payment system affected more than 41 million customer accounts and cost the company $18.5 million to resolve state investigations into the cyberattack. That event triggered Target to review and strengthen its security practices and policies, keeping that balance between security and customer experience in mind. Today, Target’s approach presents a model for other retailers to follow

In 2014, Rich Agostino relinquished his post as GE’s vice president of technology and risk compliance to overhaul and strengthen Target’s approach to cybersecurity, a job he continues to do as the retailer’s senior vice president and CISO. At the same time, Agostino has focused on keeping Target’s web interfaces user-friendly for online customers while keeping security enhancements in the background. For his efforts, the Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC) named Agostino the 2021 CISO of the Year and received its Peer Choice Award for CISO of the Year in 2021 as well.

“Anytime a guest has to answer a security question or take a minute out of the checkout process to do something to make themselves more secure, it can impact the convenience of their shopping experience,” says Agostino. “So, we do everything we can to keep that experience streamlined and positive while keeping our guests secure.”

Drawing the right conclusions about the Target breach

Before overhauling Target’s approach to cybersecurity, Agostino knew he had to draw the right conclusions from the 2013 data breach. What he learned ran counter to popular beliefs. “People tend to think about the 2013 Target breach as being significant because it was the first breach or the biggest consumer breach, but neither of those are true,” Agostino says. “The attack was significant because it was the first time that we saw a level of sophistication aimed at retail that previously had only been seen from nation-states attacking defense contractors and owners of intellectual property. It was really the first time that consumer-facing businesses had been confronted with this level of threat.”

Building an effective security team

Having grasped that Target and other retailers are now facing attacks by sophisticated cybercriminals, Agostino decided that just “closing the holes” in the company’s defenses wasn’t enough. “We had to win back trust from our guests, our team members and shareholders, and everyone else affected by the breach,” he says. “So, we put forward a pretty bold strategy in terms of how we were going to transform Target’s approach to cybersecurity, focused on building advanced capabilities that could evolve alongside evolving threats.”

To deliver on this strategy, Agostino built a capable in-house cybersecurity team, one with the numbers, knowledge, and programming skills to develop and deploy effective defenses. “This is why we hired hundreds of security experts from all sectors including finance, government, and industries in addition to retail,” he says.

This pool of in-house cybersecurity experts now works together 24/7 at Target’s Cyber Fusion Center (CFC) in Brooklyn, Minnesota. It is a vast, open-concept facility where the Cyber Threat Intelligence team monitors and analyzes cybercrime trends, while the Cyber Security Incident Response team develops Target-centric detection tools and detects threats to the company’s networks and systems. Meanwhile, the CFC’s continuous improvement experts document the teams’ findings, actions and results, while prioritizing their overall efforts.

Collectively, the CFC’s IT professionals provide Target with a “nation-state” level of response to cyberattacks. At the same time, they have the know-how to embed these tools in the background of Target’s web interfaces and operating systems so that customers enjoy a hassle-free online shopping experience

Building a sector-wide response

Agostino knew that upping Target’s game by itself wouldn’t be enough to protect his company and its customers. To make a real difference, the retail sector as a whole needed to substantially improve its approach to cybersecurity. To enable that, Agostino and Target helped to launch the RH-ISAC, an association of IT professionals that shares cybersecurity intelligence and information across these two consumer-facing industries.

“We realized that we had to also focus outward,” says Agostino. “We have to think of cybersecurity as a team sport and something that we can’t do alone. This is why we’re a founding member and top contributor in the Retail and Hospitality ISAC, which is the leading source for sharing threat intelligence information among retailers.” 

Changing corporate security culture

Too many times, cybersecurity breaches are caused by non-IT people making innocent but devastating mistakes. For instance, the Target data breach is believed to have started with someone at one of Target’s third-party suppliers being fooled by a phishing email.

To prevent this from happening again, Agostino and his team have been educating people in Target and its suppliers. “We had to continue building awareness around the company that this threat wasn’t going away and was only getting bigger every day in the industry,” he says. “And we had to educate everyone from our team members and our guests to think about security in their everyday life.” This point is underlined for consumers on Target’s Security and Fraud web pages.

The tone of Target’s consumer-facing security and fraud content mirrors Agostino’s belief in persuading people to care about cybersecurity, rather than bullying them into compliance. “Since we started this journey, our team mindset has been to educate versus enforce,” says Agostino. “This is why we’ve really focused on educating the tech teams through gamified training and making our policies really, really simple to follow so nobody has to read a 60-page document to figure out the right thing to do. We’ve also given team members self-service tools so that they can run security tests themselves instead of having to come to our team and wait for answers.”

Delivering business and security results

Based on Target’s current ability to protect itself against cyberattacks while maintaining easy-to-use interfaces for customers, this balanced approach “has been really, really successful,” Agostino says. “This has been proven during the tremendous digital growth and all of the new functionality that we’ve been able to roll out before and during the pandemic while keeping the company secure. I’m proud about what we’ve done on the tech side, and it’s a pretty big differentiator for how we run security here.”

Target declined to provide benchmark data it uses to measure the success of its security program, but a company spokesperson noted that security helped to enable the company’s “significant digital sales growth.” The Target security team also has 17 patents pending for technologies it created.

For Agostino, it is this successful balance between customer security and customer experience that matters most to him. “My job is to create an experience where guests can shop in a way that feels secure,” he says. “Yes, sometimes our decisions involve trade-offs in order to maintain this balance, but at the end of the day, we at Target are able to strike the right balance between security and a convenient shopping experience.”