SafetyDetectives recently interviewed Suzie Squier, the president of RH-ISAC, an organization dedicated to enhancing cybersecurity in the retail and hospitality sectors through collaboration and information sharing. With a background in retail and a keen understanding of the industry’s cybersecurity challenges, Suzie has been instrumental in expanding RH-ISAC’s reach and impact. Since its inception in 2014, RH-ISAC has grown significantly, fostering a strong community of trust among its members. Suzie’s leadership has helped the organization evolve, providing critical resources and support to help member companies navigate the complex cybersecurity landscape.
Can you tell us about your background and what inspired you to help found the RH-ISAC?
Prior to joining RH-ISAC in 2017, I cut my teeth in the retail industry while working as the EVP for membership services at the Retail Leaders Industry Association, or RILA for short. RILA is one of the industry’s largest trade associations and it has many of the same member companies as RH-ISAC. In late 2013 and early 2014, the retail industry experienced several high-profile cybersecurity incidents in which customer financial data was compromised. At that time, there was not an ISAC for the retail industry. But during this crisis, retailers realized the value of having a sharing community to help combat cybercrime across the industry. In the spring of 2014, several dozen retail leaders gathered in Pittsburgh for a series of collaborative meetings, which resulted in the creation of this organization to offer a secure place for retailers to share cybersecurity information and intelligence. We were initially founded as the R-CISC (Retail Cyber Intelligence Sharing Center) and only had retail members, but we realized that all consumer-facing companies face similar cybersecurity challenges, and it would be beneficial to expand the community to be more inclusive. In 2019, our name changed to Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) to reflect this expansion.
What was the vision behind creating RH-ISAC, and how has it evolved since its inception in 2014?
The ISAC model was created in response to Presidential Decision Directive-63 (PDD- 63), which called for each of the 16 critical infrastructure sectors to voluntarily establish sector-specific organizations to share information about cyber threats and vulnerabilities. Although retail is considered critical infrastructure within the commercial facilities sector, the industry had not yet established a cyber-sharing organization in 2014. So, when our group of leaders gathered in Pittsburgh to discuss how we could best combat the cyberattacks plaguing our industry, it made sense to follow the ISAC model and create this type of community for retailers. Since some other industries had already set up ISACs, we were able to get insight from them and determine how to best meet the needs of our community.
Over the past decade since our founding, we have evolved in so many ways. Aside from the growth in numbers (from 30 companies in 2014 to more than 270 now), one of the biggest aspects that has evolved is the trust and sharing within the community. In the early days, companies were hesitant to share information about attacks or vulnerabilities they were experiencing. But over time, and with deliberate intention, we were able to create a strong sense of trust and a true sharing community that offers value to each member company.
RH-ISAC emphasizes collaboration among its members. Can you elaborate on the strategic and tactical information-sharing channels you provide and how they enhance member capabilities?
RH-ISAC connects cybersecurity teams at the strategic, operational, and tactical levels to work together on issues and challenges, share best practices, and benchmark among each other – all with the goal of building better security for the retail, hospitality and travel industries through collaboration. We do this through weekly and monthly conference calls, chat messaging through Slack, a portal website that has discussion boards, and a threat intelligence platform that allows for sharing and receiving information about cyber threats. Our members also collaborate through working groups, which meet on a regular basis to share knowledge, use cases, and leading practices in a given subject area. All of these resources act like a force multiplier for each member company’s cybersecurity team to improve visibility into the threat landscape and expand capabilities for threat ingestion and analysis and in other security domains.
What role does education and training play in RH-ISAC’s strategy to enhance cybersecurity within member organizations?
Cybersecurity is constantly evolving, so anyone who works in the field must constantly be learning about and adapting to new threats. To support this need, RH-ISAC offers in-person workshops and conferences throughout the year so that our community can continue to learn about emerging threats and mitigations. We also offer webinars that cover a wide range of topics. Additionally, we have on-site training about specific tools and security topics, as well as scenario-based exercises that help organizations test their response to a hypothetical cyber incident. These are often hosted in partnership with an industry partner such as SANS, IBM, Google, etc. Internally, RH-ISAC also participates in CISA’s Cyber Storm exercise, which brings together the public and private sectors to simulate discovery of and response to a significant cyber incident impacting the nation’s critical infrastructure.
What are the most common cybersecurity threats facing the retail and hospitality sectors today?
Each year, RH-ISAC releases the Industry Insights report that compares the data from Verizon Data Breach Investigation report with data from RH-ISAC members. This year’s report showed credential harvesting, ransomware, and phishing as the largest share of threats facing the community. Third-party risk was also a key trend, along with threat actors increasingly using generative artificial intelligence to innovate fraud methodologies.
What advice would you give to retail and hospitality companies looking to improve their cybersecurity posture?
There are so many aspects that a company needs to consider regarding their cybersecurity posture, and what each company prioritizes will depend on their size, resources, and existing program. So, what may be good advice for one company won’t necessarily be applicable to another company. That being said, regardless of company size or priorities, being an active participant in the ISAC sharing community is one of the best ways that all companies can strengthen their own defenses while also helping to defend the entire sector.