Tanium helps Frasers Group, one of the UK’s largest retailers, manage risk and increase business value as it becomes a global powerhouse through acquisitions. Matthew Wilmot, Group Head of Enterprise IT and Information Security, Frasers Group, discusses the business requirements which included new capabilities for penetration testing, vulnerability scanning and greater endpoint visibility, and tells us how he stepped in to manage this seamlessly with the help of Tanium.
Frasers Group is all about growth. The UK-based retailer started in 1982 as a modest one-store operation and has grown into a global, multi-brand powerhouse. Today Frasers operates hundreds of stores, employs over 25,000 people and runs both brick-and-mortar and online operations in 25 countries.
Much of Frasers’ growth has come via acquisitions, often of troubled companies. It’s a strategy that’s ongoing.
All that M&A activity also means merging IT systems, a complex task that includes applying cybersecurity practices. More specifically, Frasers must decide whether a newly acquired unit should be permitted to follow its own cybersecurity rules or be required to follow those of the corporate parent.
To oversee this challenge, fairly recently, Frasers created a global group for information security and privacy. It hired Matthew Wilmot, formerly an IT consultant, as the group’s head. Wilmot now works closely with Richard Marlow, who joined in recent years as part of an acquisition and is today Frasers’ manager of vulnerability testing.
Working together, they created Frasers’ long list of cybersecurity must-haves. These included new capabilities for penetration testing, vulnerability scanning and greater endpoint visibility.
“We were struggling to get a hold on our overall environment,” said Wilmot. “The tooling we had really didn’t tell us much about our assets.”
Clearly, something new was needed and fortunately, Wilmot was already familiar with Tanium and suspected Frasers could use Tanium to dramatically improve its cyber hygiene, gain visibility into its vulnerabilities and keep its systems secure.
Initially, Tanium was deployed only in Frasers’ Game unit, a gaming specialist that operates over 250 stores in the UK plus an expansive website. Because Game operates as a standalone business, Wilmot reasoned, it could function as his test lab for Tanium. The first test was limited to just 10 stores because the timing coincided with the company’s busiest time, the weeks in December leading up to Christmas.
The test was a success and Frasers rolled out Tanium to an additional 200 stores, again with a smooth delivery.
During the Christmas season, as many other retailers were scrambling to mitigate the Log4j vulnerability, Wilmot, Marlow and their teams were celebrating the festivities. That’s because Tanium helped the company identify where Log4j existed in their environment and resolved the vulnerabilities quickly.
Now, Frasers is so confident in the Tanium platform, it’s requiring every newly acquired unit to use it as well. Tanium will be fully implemented at Studio Retail, its most recent acquisition, and Sports Direct, its largest unit by far, accounting for roughly 70% of total group sales.
Matthew Wilmot, Group Head of Enterprise IT and Information Security, Frasers Group, expands on the above, providing further detail about how the company worked with Tanium to achieve its goals and better manage risk.
Why did you decide to work with Tanium on this occasion?
I’d used Taniumin previous roles as a consultant and during my time, I worked on some of the big breaches that are well publicised in the press. Taniumwas always on the roadmap and was something that I wanted to bring into Frasers Group.
When Log4Jhit last year we were struggling as an organisation to locate all of our assets and understand exactly where these vulnerabilities were. So we trialled Tanium which pinpointed exactly where the information was and then rolled it out to the rest of the environment.
What challenges were the group facing prior to your work with Tanium and what were your cybersecurity must-haves?
Coming into the group as the first person in a senior position for Information Security, I noticed that the organisation wasn’t taking Information Security seriously. The external auditors were putting more pressure on what was being done from a cyber perspective from a defence point of view, but also around security of financial information and systems where financial information is stored and the access to these systems also. I came in with a two-year plan. The organisation didn’t necessarily have any issues, it just needed more of a focus to take areas relating to Information Security more seriously.
In terms of must-haves, one of the first things I did was design a Target Operating Model, so having the right people in the right position to do the right roles. I built out a Security Operations Centre and initially, using Microsoft Defender, we had E5 security licences, which meant that we have all of the Machine Learning technologies that you get as part of the vendor stack, which plays nicely into sentinel. The initial thought was to get that off the ground and start monitoring and reviewing our environment. Then from that into a 24/7 SOC, which happened around six months ago and that’s using one of Microsoft’s security partners.
The other elements included doing vulnerability scanning, making sure I was fully aware of the vulnerabilities that the group faced but also to then build out a remediation plan to fix that.
The final thing I wanted to do was more testing. The group has done a large amount of development and building out the infrastructure and the networking. So, where some retailers have outsourced these environments, Frasershas kept them all in house. Keeping them in house is good from a control perspective, but you don’t necessarily have that right rigour or someone kicking the tires if you’re just doing it all yourself.
As a self-proclaimed global, multi-brand powerhouse, how important is maintaining a strict cybersecurity posture for Frasers Group and how do you continue this?
It’s hugely important because of the greater aspirations of the group. If we didn’t have the right level of cybersecurity and the maturity levels that we are currently obtaining, we would lose that confidence from our customer base and reputational damage is the hardest to repair. So, we focus on ensuring that we continually strive and modernise what we’re doing from a cybersecurity perspective, in order to stay on top of people attacking our organisation.
In terms of continuity, we need to make sure that we are aware of those vulnerabilities and that we fix those but also not rest on our laurels concerning our investments over the last year and a half. We’ve brought in some hacking technologies, Tanium being one of them, and then built out what we’ve done with Microsoft. But we need to ensure that we’re continually looking at best-in-breed for everything we’re doing and that’s from a firewall perspective. Everything that we’ve invested in over the last 10 or so years is probably getting to a stage where we need to modernise it. So, we’re looking at improving and considering next steps.
We want to make sure that more modern concepts are being brought in alongside a modern way of working – so putting the security down to the users rather than bringing users up to the security.
Since the pandemic, many senior leaders have had to rethink their digital/security strategies – has this been the case for you and if so, what steps have you taken?
Yes, however, we were already going down the route of cloud-first and of Microsoft licences and 365. So, arguably, we were already on that journey but it probably has accelerated to doing some of the good practices around it like Multi-Factor Authentication and making sure cloud environments are fully locked down and secure. So it’s enhanced and accelerated what we were already doing.
How are you better able to manage risk since rolling out Tanium across your stores?
It’s not just across the stores, but in head office environments too. It’s really increased our risk maturity because before Taniumwas rolled out, it was really, really hard to locate devices.