The Target breach and the other incidents that followed confirmed that cybercrime is a large threat to retailers. Both in terms of the hard costs such as repair and damage payouts and in the soft costs like customer anger and mistrust. I have little doubt that if it’s not already happening, soon colleges and universities will be offering degrees specific to cyber security.
In retail, everyone reports to someone and eventually we need to decide the exact reporting structure for our cyber-security specialists. Like many business functions, including Loss Prevention, there is some flexibility in a cross-functional department.
My vote, however, is for cyber-security to become a part of Loss Prevention for four specific reasons.
Most people prefer to think “happy thoughts.” It is our tendency to focus on the “good” outcomes and avoid thoughts of the potential “bad” outcomes. This is why humans are mostly terrible at assessing risk. When merchants, operators, and executives imagine selling their goods, they envision beautiful floor displays and happy honest customers serviced by happy loyal employees.
The Loss Prevention professional tends to see shadows.
Bright smiles hiding devious intent, blind corners perfect for theft, and distracted employees unaware of the dubious behaviors of slick thieves.
Dramatic? Perhaps, but the nature of the LP business is to think like a thief. To consider how, when, where and what the dishonest might take and then find ways to deter, prevent, or recover the lost goods.
That healthy dose of cynicism is required for cyber-security. In building our defenses we can’t think simply in terms of “what is easy” or dismiss the processes that may be inconvenient. A cyber-security department has to build the best, most efficient mousetrap … or barricade . . . and that practice Loss Prevention professionals have been engaged in for decades.
Other departments have many focuses; Loss Prevention has one - to protect the company assets. Cybercrime is an evolving practice. It’s perpetrators have a single focus, they spend their days looking for new ways to breach the technology safeguards. In most ways, Cybercrime is much like shoplifting and it shares many aspects of Organized Retail Crime. The best way to combat it, is with a team who has an equal passion to prevent it.
It may seem logical and proper to place cyber-security inside the structure of our IT department. IT departments, however, have a different focus. They look at efficiencies, they think in terms of function, and they have several competing projects and maintenance responsibilities to contend with. Although they are experts in tech, Cybercrime programs require both the tech element and the criminal behavior element. Consequently, the LP department is the best place to blend these two fields.
3. Flexible in the Big Picture
“We can’t do that, it will impact sales!” If I had a dollar every time an LP suggestion met with that statement I’d be watching the Cartoon Network instead of writing an article. LP professionals anticipate this response at the onset of their program development ideas. In Loss Prevention, we understand that every new process must be balanced against customer service, employee resources, speed of transaction, and store design and culture.
Those obstacles don’t get in the way because they are included in the planning. We ask the questions like—how can I create the most effective, least obtrusive audit? And—how can we use this software without adding extra time to a customer transaction?
These are the types of questions are needed for cyber-security practices. Yes, in theory there are things we “must do,” but in real practice we can’t turn a five-minute check out into a thirty-minute practice or implement systems that make our customers feel like they have gone from guest to suspect.
In Loss Prevention we’re already well schooled in the dichotomy of prevention versus service so we can aid in reducing both the learning curve for our new IT partners and the implementation time.
Like many LP professionals, on my first day of retail security I had no idea what a “rounder” or “waterfall” was, I didn’t know the difference between an IPT and UPS, and MOOS sounded like something that grew on the north side of a tree.
But I learned.
Not only did I learn what all those retail acronyms and terms meant, but I also learned how to speak the language of retail sales and operations. LP professionals, to be successful, become retail operations specialists. We walk the line between business people and law enforcement people—if you don’t think that is true, try to explain refund fraud to a rookie police officer…or in some cases a seasoned District Attorney.
This self-educating process makes Loss Prevention the perfect place for cyber-security. It is a fairly new world, with a developing language, and practices that will need to fit and bridge transactional security with transactional customer friendly practices. Loss Prevention departments are already well-practiced in learning new business languages, so they are the best leaders of these new efforts.
All In One Place
As I opened with, cyber-security efforts could be placed in many areas of our operations. It will fit in IT, in Legal, in Operations, or in our on-line departments, but the best fit will be in Loss Prevention. In addition to my previous four reasons, there is the benefit of keeping security in one place.
A single entity to oversee both the physical and electronic security of our business will lead to greater efficiencies, more effective programs, and an oversight model that ensures the left hand knows what the right hand is doing.