SAFE AS
HOUSES
Project Partners
B U S I N E S S I N T E RV I E W
In an exclusive interview, we talk to Mun Valiji, Chief Information Security Officer at Sainsbury’s, about the importance of a flexible approach when it comes to keeping on top of today’s continually-evolving cyber threats facing a 150 year-old retailer. Written by Anna McMahon • Produced by Danielle Harris 2
3
SAINSBURY’S – WHICH ENCOMPASSES SAINSBURY’S SUPERMARKETS, ARGOS, NECTAR, SAINSBURY’S BANK AND HABITAT – OPERATES WITH OVER 28 MILLION CUSTOMER TRANSACTIONS EVERY WEEK. s the most senior member of the leadership team responsible for security across a multi-channel and multibrand business, Mun Valiji is accountable for setting the endto-end security strategy, roadmap and the protection measures for all of Sainsbury’s UK operations.
4
So, how would Mun Valiji describe his multi-layered role? He says, “I think a business-enabling strategy is one of the most important contributions I make and how I bring security to Sainsbury’s. We have to be seen as a businessenabler; to be empowering, rather than impeding technology and transformation. Security has to be at the heart of the proposition. I sit within a leadership team that recognises the absolute importance of privacy, trust and assurance in terms of building the brand, as well as doing the right thing by the families, communities and society we serve. Having a customer-first, business-first proposition in mind is essential, but trust and privacy absolutely have to be part of that.”
H MUN VALIJI
Chief Information Security Officer
5
Say hello to Everything. Data can change the world. But only if we do something with it. Our Data-to-Everything Platform helps you remove the barriers between data and action, so you can turn real-time data from countless sources across your organization into positive outcomes—for your business and for yourself. Say goodbye to the old limitations. When you bring data to Everything, anything is possible.
Š2019 Splunk Inc
splunk.com/d2e
6
What is the SmartShop Mobile Pay App?
Speaking a language that the business understands, not making it too technical or too scientific, is key to Mun Valiji’s approach. He explains, “At the end of the day, if people don’t understand what you’re trying to do and the approach that you’re trying to take, it’s difficult to engage. What is essential is to be clear,
to be outcome-based in your communication, and to articulate what you’re trying to do in as non-prescriptive terms as possible. “We measure things in terms of outcomes and against our adherence to regulatory compliance because that’s essentially a requirement. If you can do that and keep it non-technical and as simple as possible, it’s easier for people to come on the journey.” Mun Valiji does not underestimate the importance of support from senior executives in meeting the security requirements of the business. He adds, “To be able to grow the business, to be 7
“HAVING A SELECT, FEW IMPACTFUL STRATEGIC PARTNERS WHO UNDERSTAND THE OUTCOMES WE ARE TRYING TO DELIVER IS ESSENTIAL. THE PARTNERSHIP SHOULD BE AN ENGAGING, LONG-LIVED, COLLABORATIVE RELATIONSHIP THAT WORKS BOTH WAYS” – MUN VALIJI
8
9
able to transact securely and safely, whether it be online or in-store, security is absolutely important, as well as the ability to communicate that message and elicit support all the way down. “Executive support is one thing, but to be able to get to the next level of execution becomes even more important if you’re actually going to engage and deliver a programme of change.” An ambassador for security in a world where you can’t open the newspaper or read a newsflash without hearing about a data breach or loss of confidentiality, Mun Valiji is passionate about the adoption of a versatile approach when dealing with security risks. He explains, “You have to be flexible. What we are doing today is totally different from an adversarial point of view to what we were doing 12 months ago. The level of sophistication of attack that I’m protecting the business against is constantly evolving, so you have to be versatile in how you respond to that. We set out the strategy, which is generally a 36-month strategy, but within the three years, we would effectively look to 10
respond differently based on the changing landscape, the threats, and the evolution of risk. “In the way that technology has to morph over time, we have to be dynamic and elastic in the same way with security. Otherwise, you lose sight of
what’s important and you don’t make the most of the investments and assets that you’ve built up.” The difficulty that Mun Valiji and his team face is that they are not simply dealing with one single threat, but many, often unforeseen, challenges. So, how can Sainsbury’s best protect itself from a retail perspective? Mun Valiji
InteliSecure is pleased to support Sainsbury’s digital transformation. Through our suite of professional services, penetration testing services and managed services, we make data protection easy. For more information
visit InteliSecure.com
Intelisecure has really taken the time to get to know our business. They are truly a leading and trusted partner helping us deliver a progressive security program Mun Valiji CISO
11
“IT’S A REA EXCITING T BE A TECHN WITHIN SAI EVERYONE K THAT RETAI THROUGH A CHANGES, S THE OPPORT TRANSFORM
12
LLY IME TO NOLOGIST INSBURY’S. KNOWS L IS GOING LOT OF SO THERE’S TUNITY TO M”
answers, “The concentration of resource and effort is centred on understanding how we can continue to build our online proposition. This means ensuring that the business is available, is able to transact, and can offer an online service to customers at all times from anywhere. An impediment to that would be a service availability attack, or means by which the online operation is disrupted. “My role in minimising the disruption is to ensure we have appropriate detection, protection measures and a strategy to be able to identify, as pre-emptively as possible, any risks that might disrupt the online operation. In simple terms, the net impact of any disruption to service is loss of revenue and potential erosion of customer confidence. If we have a system that is affected by a vulnerability, for example, it could potentially disrupt back-end operations and be revenue-impacting. That’s a whole different level of severity that we’d have to respond to.” Sainsbury’s has measures in place to safeguard customer information, as well as subscribing to intelligence 13
Protect your enterprise with the deepest threat intelligence. Integrated Cyber Defense for unparalleled visibility and protection. Applying artificial intelligence to analyze over nine trillion lines of threat data, Symantec offers the broadest and deepest threat intelligence in the industry. This level of visibility across endpoint, email, and web traffic allows us to discover and block advanced targeted attacks that others can’t detect.
Get the Cloud Security Threat Report (CSTR) Read the Report
14
Copyright Š 2019 Symantec Corporation. All rights reserved.
15
services to ensure the brand name is associated with the right sentiment. According to Mun Valiji, “It’s about having the basic pillars and fundamentals in place and working effectively – having good security
operations and incident management that allow us to protect the business. We have processes in place to ensure that when we build and provision new systems or services, the appropriate
OUR PARTNERS
16
The Sainsbury’s Tech and Splunk partnership continues to grow as both organisations are aligned in their corporate objectives - both want to ensure business success. Each recognises the need to turn data into action, to solve problems and spot opportunities at pace and deliver a data driven future for the benefit of all.
Through a trusted partnership with InteliSecure, Sainsbury’s has been able to maximize the use of disparate technologies by delivering a comprehensive security program. InteliSecure is far more than a service integrator, helping Sainsbury’s to build a robust programme to meet regulatory commitments and protect data.
Symantec, the world’s largest pure-play cyber security technology organisation is focused on helping Sainsbury's secure the business with an integrated security capability across all the main vectors, Endpoint, Email, Web and Cloud.
Netskope helps Sainsbury’s secure it’s cloud and web data in one platform by simplifying infrastructure and operations.
“SAINSBURY’S IS A DATA BUSINESS WITH ONE OF THE MOST EXCITING DATASETS IN THE UK FROM OUR MULTIPLE BRANDS INCLUDING ARGOS AND NECTAR. ROBUST, PROACTIVE AND FLEXIBLE SECURITY CAPABILITIES ARE MISSION CRITICAL FOR US” – PHIL JORDAN, GROUP CIO sign-offs from a security perspective are inherently built-in. So, we’re able to work with our curious colleagues to provide the governance around their experiments. Then when changes do take place, are we maintaining a continuous compliance stance to adhere to regulatory and contractual
requirements and protect our Crown Jewels?” In terms of its transformation journey, Sainsbury’s has brought all IT into Sainsbury’s Tech, Digital and Data with security sitting at the centre. Mun Valiji says, “It’s a really exciting time to be a technologist within
17
NETSKOPE HELPS SECURE ITS DATA Cloud and web security in one platform Simplify security infrastructure and streamline operations
To find out more about Netskope, please click here.
To contact Netskope +44 (0)20 3176 2870 EMEA@netskope.com
18
Sainsbury’s. Everyone knows that retail is going through a lot of changes, so there’s the opportunity to transform. My role is to ensure the overlay of security and compliance is delivered singularly and effectively at all times.” Embracing strategic partnerships is something that Mun Valiji considers to be fundamental to building security success. He says “Having a select, few impactful strategic partners who understand the outcomes we are trying to deliver is essential. The partnership should be an engaging, long-lived, collaborative relationship that works both ways.” Some of Sainbury’s key partners include Netskope, Symantec,
Splunk and InteliSecure, to name a few. Mun Valiji adds, “They are valued, trusted partners who I’ve worked with for most of my professional life. For our strategy and evolving program of change, they are the right choice, but we constantly look to review our partner program to make sure we are doing the right thing by the business and the changing cyber landscape. We challenge our partners to be as progressive as possible, and always hold their feet to the fire on that.” For further information on Sainsbury’s products and services, visit their website and social pages.
19
www.sainsburys.co.uk