Intelligent CISO Issue 16 - Page 46

industry unlocked Alternatively, if they outsource such activities or obtain a platform-based solution from an external vendor, then they must conduct a security due diligence exercise annually. The risk of security breaches exists in every organisation and a vendor that is able to adequately provide assurance affirming that they consider security as an important business objective for themselves, is the one that will usually be able to avoid such embarrassing and costly incidents. Retail organisations should also consider including security metrics in their own business reviews. These could include numbers related to vulnerabilities discovered and resolved in the software applications that are being actively used, the number of incidents or events that surfaced in a given duration. It can also include whether an active bug bounty program has been implemented 46 Retail organisations should also consider including clauses and penalties related to data protection and data privacy in their vendor agreements. and if so, then how many bugs were reported and resolved within a given period. It should also review the risk assessment of the data that is being saved, whether a detailed risk mitigation and business continuity plan exists and whether these plans have been tested. Retail organisations should also consider including clauses and penalties related to data protection and data privacy in their vendor agreements. This ensures that a vendor becomes legally bound to provide adequate measures of security as part of their promised security deliverables. The retail industry as a whole has been adopting most of the practices that appreciate security as an important business objective for them and it is quite likely that those who treat security seriously are the ones that will ultimately prevail in the market. Security and privacy consciousness of the general population has been improving rapidly in the post EU GDPR world. This industry stands to upset the very audience it targets if security is not treated the way it should be. u Issue 16 | www.intelligentciso.com