CIOReview
Sign In

Subscribe to our Weekly Newsletter to get latest updates to your inbox
| | October 20188CIOReviewOver the past seven years, Mattress Firm has been one of the hottest retailers in the world increasing their store count from over 750 stores to over 3,500 stores resulting from both organic growth and acquisitions. As is the case with many fast-growing organizations, it is sometimes a challenge to make sure that infrastructure and programs keep pace. In 2014, our Executive Management and Board of Directors recognized the need to address cybersecurity due to the high-profile cases making headlines, many in retail, which can create regulatory, legal, and brand reputation damage.While our company did not have personal health information or payment card data, we held millions of records of payment card transactions and personal information including addresses, phone, and email addresses. Due to the average ticket of each sale and the highly promotional business of financing within the furniture business our business was transacting more than 80 percent of our overall sales with either credit card transactions or credit financing. Our Starting PointOur starting point was, simply put, no staffing; no roadmap; and no cyber-insurance. Our first step was to create a governance structure for cybersecurity. To ensure top-level support of the organization, the cybersecurity Governance Council reports directly to the Audit Committee of the Board of Directors. The council is a cooperative effort led by the Senior Vice-President of Enterprise Risk and Chief Information Officer. The relationship between these two functions was dependent on the overall success of the program. Quickly the CIO and I had determined that this function should be split, in that cyber security would report directly into ERM (Enterprise Risk) to ensure independence for governance and budget purposes however that ITS would have oversight on implementation of certain aspects of the overall program. A lot can be said for that relationship, as we were equally invested both strategically and operationally to see the program succeed. To assess our most critical exposures, our management team conducted a table top exercise that included four scenarios to help us identify our most crucial exposures. Immediately, we made the decision to replace aging firewalls with "next gen" firewalls for border protection and to roll out OpenDNS for web-filtering, botnet detection/prevention, and implement additional malware detection.While taking these initial first steps, the governance council decided to adopt a five-level maturity model to help us assess and plan our efforts over the course of a multi-year journey to excellence in cyber. We settled on the CMMI framework used by many government organizations:Finally, we knew it was important to begin reporting on cyber to the board-level on a regular basis to keep the issue "front IMPLEMENTING A CYBER-SECURITY PROGRAM ­ THE JOURNEY OF TRUE PARTNERSHIP WITH ITBy Maurice Edwards, Senior Vice-President Enterprise Risk, Mattress Firm
< Page 7 | Page 9 >