A company’s success can be heavily defined by the strength of its cybersecurity strategy when responding to and preparing for cyberattacks. Steve Kinman, Zalando’s Group CISO, discusses the company’s cybersecurity approach and how it has overcome security challenges during COVID-19.
As one of Europe’s leading eCommerce companies, Zalando offers fashion and lifestyle products to customers across the region. Having a robust cybersecurity strategy in place is a defining factor to its success and crucial to prosperity. Steve Kinman explains more.
Can you tell us about your role and how it contributes to Zalando’s security efforts?
I am the Group CISO and was hired to change the way we visualise security, the overall strategy, and how we put security operations, product security and baseline controls in place. I cover all of our customer-facing products like Zalando Fashion Store, Zalando Lounge, Zalon, and our Partner Platform product security.
How does Zalando ensure it operates with a strong cybersecurity posture?
In my background, I’ve created everything based on frameworks, so I generally take NIST 800-53 Risk Framework controls and then tailor it with more specific controls to meet the company’s required needs. We call these ‘Core Controls’. Everything we implement, no matter if it is teams, technology, or processes, is tied back to those core controls, and they are our NorthStar when designing principles, policies, standards, or guidelines. Once the controls are in place and continuously monitored for effectiveness, we complete quarterly assurance testing combined with internal and external assessments and base our overall security posture on that testing outcome. These controls are essential when things like COVID-19 happen and your entire workforce begins working from home because your framework and strategy remain the same. I had many people reach out and ask about our security coverage for COVID-19 now that our employees are working from home – if you build your strategy and base your core controls on a known framework, you don’t have to pivot or focus on a new plan or new defence, you keep monitoring your controls and ensure they’re in place.
How would you describe the current threat landscape and what steps can be taken to improve it?
I think it has changed. It’s harder to see the traffic you’re trying to monitor and it’s harder to find specific anomalies that we’ve been able to look for in the past. The challenge is now how you see the remote network traffic, how you log it, build notifications, and have some comfort that you see and understand the entire picture. The challenge is now more difficult in many ways, but if you base it back to the same core control requirements, then the operations are still the same overall, but you must increase your visibility into the traffic.
What would be the impact of having a poor cybersecurity posture in your industry and how would this affect customers?
One of the main risks in this regard would be associated with automated threats as ‘Bad Bots’ are on the rise right now, especially within eCommerce and are in use for credential stuffing attacks that lead to account takeovers, product sniping that block or limit inventory, fake account creation leading to fraud for the customer and the company, and overall denial of service. Without controls or products in place for this, you’re doing a disservice to your customers and your business.
What is Zalando doing to help close the cyberskills gap, if anything? Do you have plans to invest in this area moving forward?
Within the security market, I assume it’s going to be much like it has been and we will have to continue to build these skills from within. However, I think the market will be quite interesting during and after this pandemic and there could be a large talent pool available that already have the skills we need. Regardless, Zalando offers excellent personal development training, resources and budget support for training on specific cyberskills and certifications. The Information Security unit also budgets and facilitates an apprentice programme where we can teach basic security topics and functions to people as part of their curriculum, with an option to hire at the end of the programme.
How do you predict the cybersecurity industry will evolve over the next five years?
It’s quite hard to predict – I think you have to look at it differently now as our ways of working have suddenly changed. It was already heading this way, with many companies offering work-from-home options, but now we’ve fast-forwarded at least five years. This way of working shift makes Zero Trust environments and identity governance very important as you control how you manage access to and by whom data is processed to be able to meet ethical data use and GDPR requirements. Whether we are ready or not, we have lost the protected confines of the corporate network; data can go to any device, anywhere, at any time. These create difficult operational challenges that will need to be solved and auditors will require evidence that you have this securely covered and will become an integral part of your strategy and overall posture. Zalando is addressing this with increased investment into Identity and Access Management, technical asset and device management, additional logging and more efficient vulnerability management.
What advice would you offer other CISOs when it comes to bolstering cyberdefences?
A strategy should be principle-based – you have to have something in mind like ‘we are going to protect our customer data at all costs’. Then, 1) build policies based on any sound security framework (there are many), 2) build core controls as strong as required for your regulatory and risk appetite, and 3) build towards meeting those controls relentlessly. If you know what you are trying to solve and your measurement of success, you can solve the problem. As an industry, we must move away from ad hoc reactive security to more control and process-based, measurable and proactive security implementations.
Moving forward, where do you look to invest as a company?
There’s been a big push to automate some things that we do manually. Even though we’re 12 years old, we’re a very young company and we are investing and working hard to add new automation and more robust processes. We’re conducting POCs AI-focused anomaly detection, digital footprint scanning, third-party risk assessment automation and additional support to enable security and privacy early in the development cycle. With all of these, automation is key and we will continue down this path.