Several companies in the retail industry are banding together to strengthen their defenses against hackers and data breaches.

The industry initiative, known as the Retail Cyber Intelligence Sharing Center (R-CISC), is an independent organization through which more than 50 of the nation’s largest retailers, federal law enforcement, and government agencies can share cyber-threat information to enhance the security of the retail industry’s networks and protect consumer data. 

R-CISC will also provide advanced training and education and research resources for retailers. Established in May 2014 by the Retail Industry Leaders Association (RILA), a trade group of more than 200 retailers, product manufacturers, and service suppliers, R-CISC is the first such initiative for an industry that has been besieged by cyber-attacks resulting in massive data breaches at companies such as Target, Neiman Markus, and Michaels Stores.

Participating companies include Best Buy, CVS, Gap, JCPenney, Lowe’s, Home Depot, Nike, Safeway, Target, Walmart, Walgreens, and many more. Although RILA established R-CISC, “it’s a company-driven effort,” says Allie Brandenburger, director of communications for RILA. “They’re the brains behind the operation.” While companies may be driving the effort, they are reluctant to talk about it. All of the retailers we contacted declined to discuss the joint effort beyond the prepared statements they had issued.

The centerpiece of R-CISC is the Retail Information Sharing & Analysis Center (R-ISAC), which functions as the information-sharing forum for retailers. Examples of threat information to be shared include:

A description of threat or attack activity observed;

Specific attributes defining known or suspected threat activity;

Incident details, describing the “who, what, where” of a particular threat, including the targeted sector and the nature of data exfiltrated;

Tactics, techniques, or procedures of a particular threat;

Particular weaknesses that attackers may seek to leverage or exploit; and

Data describing the motive of hackers, or type of attack, in order to aid in better detection and prevention of future threat activity.

Leadership Team

Overseeing the initiative is RILA’s Retail Cyber-security Leaders Council, which consists of senior retail executives from eight companies: American Eagle Outfitters, Gap, JCPenney, Nike, Safeway, Target, VF, and Walgreens. The board meets about twice a month, with responsibility for determining the strategic direction and organizational priorities for R-CISC, Brandenburger says.

In a prepared statement, Walgreens CEO Greg Wasson said the company joined RILA “to share best practices and information with peers and other stakeholders in order to strengthen our collective defenses against potential threats.”

Ken Athanasiou, global information security director for American Eagle Outfitters, expressed a similar sentiment. “By sharing information and leading practices and working together, the industry will be better positioned to combat these criminals,” he said.

As with most retailers, the protection of customer information is also a top priority. “We are confident that by sharing with our peers and industry stakeholders through R-CISC, our industry will collectively strengthen its ability to protect critical customer information,” said Warren Steytler, vice president of information security at Lowe’s.

Three Components

At its core, R-CISC is made up of three main components:

The Retail Information Sharing and Analysis Center (R-ISAC):  R-ISAC allows retailers to share cyber-threat information with each other and share anonymized information with the U.S. government, explains Brandenburger. The goal of R-ISAC is to identify real-time threats and share actionable intelligence to mitigate the risk of cyber-attacks, she says.

Until the establishment of R-ISAC, information sharing has traditionally been a one-way street, Brandenburger says, where either retailers share information about cyber-attacks, or the government shares information, but it hasn’t been going both ways, she says.

By sharing information and leading practices and working together, the industry will be better positioned to combat these criminals.
Ken Athanasiou, Global Information Security Director, American Eagle Outfitters

Even when retailers do receive information, “it’s not information that is actionable and intelligent,” Brandenburger adds. “That’s what’s different about R-ISAC.”

The way that works in practice is that a cyber-analyst and technician at the National Cyber-Forensics and Training Alliance (NCFTA), a non-profit group specializing in establishing public-private partnerships, process information about real-time cyber-threats from the government, or other sources, and then turns that information into actionable intelligence for the retailers.

Examples of such actionable intelligence may include new strains of malware, underground criminal forum activity, or potential software vulnerabilities.

Retailers are also sharing anonymized information with the U.S. government through partnerships that RILA has established with government agencies, including the Department of Homeland Security, Secret Service, and the Federal Bureau of Investigation.

Education and Training: Through R-CISC, retailers will be able to learn from stakeholders and advance practices on cyber-security, cyber-risk mitigation, and data privacy in a trusted environment.

In cooperation with the National Cyber Security Alliance, for example, R-CISC provides tools, such as employee tip sheets and training on information security best practices.  Retailers also have access to educational material they can use on their own Websites to equip their customers with tips on how to “stay safe online.”

The Retail Cyber Intelligence Sharing Center

Below is information on the Retail Cyber Intelligence Sharing Center and its mission.
The Retail Cyber Intelligence Sharing Center (R-CISC) is a non-profit group launched by leaders in the retail industry- to promote cyber-security and data privacy through all appropriate means. These include the creation of a forum for sharing cyber threat intelligence to mitigate the risk of attacks by cyber criminals; the development of educational and training programs; and through the development of leading practices on cyber-security, cyber risk mitigation, and data privacy.
Developed with the input of over 50 retailers, the R-CISC consists of three components:

Retail Information Sharing & Analysis Center (ISAC): brings retailers together for omni-directional sharing of actionable cyber threat intelligence, and functions as a conduit for retailers to receive threat information from government entities and other cyber intelligence sources.

Education & Training: works with retailers and partners to develop and provide both education and training to empower information security professionals in retail and related industries.

Research: looks to the future, undertaking research and development projects in partnership with academia, thought leaders, and subject matter experts in order to better understand threats on the horizon.
Membership is open to retailers and merchants of all segments and sizes and aims to include not only the retail industry but related merchant industries as well.  The R-CISC is currently endorsed by the Retail Industry Leaders Association (RILA) and the American Apparel & Footwear Association (AAFA).
Board of Directors
R-CISC’s founding board of directors is comprised of representatives from retailers and product manufacturers.  The board determines strategic direction and organizational priorities for R-CISC.

Ken Athanasiou, Global Information Security Director; American Eagle Outfitters;

Rich Noguera, Head of Information Security; Gap;

Scott Howitt, VP, Chief Information Security Officer; JCPenney;

William Dennings, Chief Information Security Officer; Nike;

Colin Anderson, VP, Information Technology; Safeway;

Jenny Ley, Director, Corporate Security Intelligence, Target;

David McLeod, Chief Information Security Officer; VF Corporation; and

Jim Cameli, Information Security Officer; Walgreen.
Source: RILA.

Additionally, through collaborations with educational institutions and other organizations, retailers will have access to educational resources and training programs. Brandenburger adds, however, that no formal partnerships with any educational institutions or organization are in place at this time. “We’re talking with as many as we possibly can,” she says.

Research: Collaborating with academia to provide research on emerging technologies and potential future threats. Recognizing that threats are constantly evolving and technologies are advancing, R-CISC will help retailers stay ahead of these risks with one goal in mind, ensuring their business practices keep customers and data safe.

These three components combined make R-CISC “an important asset to the entire industry,” Brandenburger says. They enable those in the retail industry to stay ahead of cyber-criminals, she says, “and not just having to react to the threats that we see.”

In addition to its partnership with government agencies, RILA also consulted with third-party subject-matter experts, including security technology and services provider CrowdStrike; IBM; Verizon; and more to identify leading practices related to threat information sharing.

It’s also collaborating with cyber-security trade associations, such as the Information Security Forum, the National Cyber-Security and Communication Integration Center, and the National Cyber Security Alliance. RILA also has the support of American Apparel & Footwear Association and the National Retail Federation.

“The overall goal,” Brandenburger says, “is for R-CISC to become a resource of the entire merchant community.”