programcybersecurityaFashioningnew DIGITAL REPORT 2022 IN ASSOCIATION WITH:
PROGRAMAFASHIONINGNEW CYBERSECURITY 2 kontoorbrands.com
kontoorbrands.com 3
John Scrimsher, Chief Information Security Officer (CISO) at Kontoor Brands, shares how he built and developed the company’s cybersecurity program O n a mission to grow through innovative design and sustainable performance to excite more consumers, Kontoor Brands is made up of iconic names such as Wrangler and Lee jeans.
The global clothing company is a spinoff from parent company VF Corporation, becoming its own entity in 2019. While it may be a publicly-traded retail company with a primary focus on fashion, it faces the same cybersecurity challenges that many of its peers in the retail industry face.
Scrimsher explained how he works closely with the Retail & Hospitality Information Sharing and Analysis Centre (RH-ISAC). ISACs are non-profit organisations that provide a central resource for gathering information on cyber threats (which, in many cases, are to critical infrastructure), as well as allow two-way sharing of information between their members about incidents, threats, and their root causes. In addition, these organisations offer a platform to share a wealth of experience, knowledge and analysis relating to cyber threats.
“My role within the company’s mission, of growing to meet consumer needs, is to ensure that I'm keeping up with the innovation and identifying the cyber risks associated with that, as well as helping drive solutions that enable the business to achieve its mission,” said John Scrimsher, Chief Information Security Officer (CISO) at Kontoor Brands.
4 kontoorbrands.com KONTOOR BRANDS
kontoorbrands.com 5
• Making it user focused, keeping it simple –“Complexity is the enemy of security; the more complex we make any solution, the more likely people are to seek out ways around it.”
JOHN KONTOORSCRIMSHERCISO,BRANDS
He explained some of the major principles that he follows when building a program:
“Throughout the industry, we see challenges such as phishing and business email compromise (BEC) remaining top items of concern. Fraudulent activity is another issue, whether it's domain fraud – where people squat on domains and look for new ways to exploit those – selling counterfeit products, or using it as a phishing leverage to make the employees or customers think that they're getting an email from us,” he added.
6 kontoorbrands.com
Fashioning a new cybersecurity program
“COMPLEXITY IS THE ENEMY OF SECURITY AND THE MORE COMPLEX WE MAKE ANY SOLUTION, THE MORE LIKELY PEOPLE ARE TO SEEK OUT WAYS AROUND IT”
Building a cybersecurity program for the future Scrimsher started at the company in 2019 and was employed as the first cybersecurity team allowingmember,himto build the rest of the team from the ground up. The thedevicesformanagementassetneedItsystemstoonprogramforward-lookingisfocusedensuringvisibilityalldataprocessinganddevices.alsounderstandsthetohaveastrongdiscoveryandprogrammanufacturing,edgeandallareasofbusiness.
JOHN SCRIMSHER TITLE:
Dealing with third-party risk When the world went into lockdown in 2020 – a state that many countries went in and out of intermittently throughout 2021, too – the global fashion industry faced exceptionally challenging conditions. As well as greater scrutiny on sustainable practices and a larger volume of orders to fulfill in a time of almost stationary supply chains, the increase in online shopping created a larger threat landscape to be exploited by bad actors.
KONTOOR BRANDS
•
• It can withstand scrutiny – A good cybersecurity program should be able to stand the test of time.
John Scrimsher has over 25 years of experience in developing and leading security organisations across some of the most iconic brands in technology and manufacturing. While based in North Carolina, John has experienced living up in the Pacific Northwest as well as the South east and North East US and appreciates travelling around the world. His experiences with multiple cultures drives his desire to seek new and diverse opinions as a part of the security program. As the CISO for Kontoor Brands, the home for iconic Wrangler, Lee and Rock & Republic Jeans, John has built a forward-looking security program focused on ensuring visibility and resiliency based upon a strong relationships across the business.
BIOEXECUTIVE CISO INDUSTRY: RETAIL APPAREL & FASHION LOCATION: NORTH CAROLINA, US
•
Being a forward-looking company that was established just one year prior to the global COVID-19 pandemic, Kontoor had started out planning for the future. This enabled its employees to move quickly
Following those principles, Scrimsher has been able to build a program that covers all the areas of cybersecurity from vulnerability management, third-party risk management, identity management and also governance, risk, and “We'recompliance.notgoingto try to adapt something that may have elements that don't quite fit with what we're trying to do. So, the way I describe it is that my goal is to build a security program for 2025, not adopt and adapt from 1995,” he added.
Measurable visibility – It is important to be able to measure that the program has the level of visibility necessary to protect the environment and to increase that visibility where necessary.
‘All means all’ – When referring to implementing security methods such as multifactor authentication across all users, all means all. Granting any exception is a potential hole for bad actors to exploit.
10 kontoorbrands.com
71% of organisations report that their third-party network contains more vendors now than three years ago. When it comes to advancing business goals, this evolving business environment demands new approaches to third-party risk management that account for the changes in organisations’ reliance on third parties.
to remote working once the pandemic hit, allowing the company to successfully operate its eCommerce platforms.
kontoorbrands.com 11
Supply chains have also been a big issue in the cybersecurity industry, as any difficulties or delays with these can completely shut down business operations and lead to various damages. Scrimsher explained: “One thing we always do is look at the risk levels of the supply chain and, and just like every other company we do face the same risks around supply chain disruptions.”
“We're all out there trying to help each other protect our customers and our data through setting and maintaining global standards for all of our vendors. That way, our supply chain providers – whether they're software supply chain or product supply chain – all know what to expect, and they can start building their systems to be as secure as the industry is looking for,” explainedOrganisationsScrimsher.that suffered a data breach while they had AI technology fully deployed
with other retail companies that we would typically consider competitors, but in the cybersecurity world, we're all partners.
“It's everything – how do we determine what type of data we share with them? How do we determine what level of network connectivity we provide to them? How do we ensure that, when they have connectivity, we can track their identities to ensure we know who is accessing our systems or our data? So we work very closely 12 kontoorbrands.com
Scrimsher is currently chairing the Third Party Risk Management Working Group with the RH-ISAC, collaborating with approximately 30 other companies on defining a set of industry standards that they can implement for all of the third parties and the requirements to attain them.
kontoorbrands.com 13 KONTOOR BRANDS
“We work very closely with other retail competitors,typicallythatcompanieswewouldconsiderbutinthecybersecurityworld,we'reallpartners”
Keeping emails secure through cyber partnerships The increase in digital transformation has
“As we look to the future, there's always discussions around AI technologies and the metaverse and things like that. It's keeping up with those conversations, making sure we know what types of data are going to be involved, what the risk levels are of that data and then driving the program based on that.”
Kontoor utilises best-in-class partners to help keep the organisation’s emails safe. “We treat our cyber security vendors as partners.. This is very important for security because that helps them understand your needs better. We need to work with them on a daily basis to ensure that we understand the threats and that they understand our business needs, so that we can implement it as effectively as possible,” said Scrimsher. saved an average of US$3.58mn in 2020. One way in which Kontoor reduces risk of a data breach is to continuously assess the business and identify trends such as the former.
meant more people are connected, and also a move to more people working remotely, partially due to the global pandemic. This change in environment has led to a rise in cybersecurity issues, for example the high volume and sophistication of advanced email attacks has caused significant cybercrime losses, with business email compromise losses alone amounting to nearly US$2.4bn in 2021.
JOHNKONTOORSCRIMSHERCISO,BRANDS
14 kontoorbrands.com
kontoorbrands.com 15 KONTOOR BRANDS
Reflecting on the past 12 months, Scrimsher explained how one of the biggest improvements has been his team's ability to detect and respond to threats. “Having a team that's able to constantly learn, keep up with the trends and be able to protect our company is, I would say, probably one of my proudest accomplishments.”
New technologies such as the metaverse are causing some concerns about privacy and data security. As everything is built virtually in the metaverse, cyber criminals have plenty of options to hack the data and misuse it for their personal gains.
“I would say that technology hasn't really changed the industry, but that the industry is definitely driving the need for new technology. Whether it's automation, better identification, or the machine learning and AI capabilities to better identify the threats. Those are all being developed in response to the needs of the industry.”
Scrimsher explained how one of the biggest challenges of working in cybersecurity is that they never know what the next challenge will be.
“That’s the security world: there's always a new type of threat that comes up. In the next 12 months, I expect some of the biggest challenges to be really around privacy and deep fakes”
JOHN KONTOORSCRIMSHERCISO,BRANDS
Since implementing tools provided by cybersecurity partners, such as Abnormal Security, instead of having hundreds of users reporting phishing or attempts at fraud, Kontoor has seen its numbers drop down to single digits – because its partners are catching it before the users ever see it. This has greatly helped the clothing company in reducing the user workload volume, allowing them to become more efficient and do their jobs, whether it's marketing, sales, design, according to Scrimsher. Facing the unknown challenges
“That’s the security world, there's always a new type of threat that comes up. In the next 12 months, I expect some of the biggest challenges to be really around privacy and deep fakes. As we start moving into the metaverse and AI usage grows, I think it's going to be a challenge for us to really figure out the right way to address that and ensure that we're protecting our users from fraud and other threats.”
As the threat landscape continues to grow, so do the challenges that face cybersecurity teams. Businesses are adopting new technologies and solutions, adapting in the face of adversity as they continue to navigate the new challenges. Although these technologies will ultimately lead to strength and innovation in organisations around the world, they can also create new risks and vulnerabilities that can be exploited.
Greensboro, www.kontoorbrands.comNC POWERED BY:
