Starbucks CISO Explains Security Outsourcing Model

The 62 full-time employees of the global cybersecurity team at Starbucks Corp. can’t do everything. The international coffee giant designates many tasks to those staffers, but also hires smaller firms to take on cybersecurity responsibilities that augment employees’ capabilities, Chief Information Security Officer Dave Estlick said.

The question of when to outsource security functions is key in the retail sector, where there is a high volume of transactions and relatively small security teams, according to research published in August by the Retail Cyber Intelligence Sharing Center and Deloitte LLP. Companies outsource cybersecurity work to overcome talent and budget constraints and to monitor their systems for possible threats, according to the report. At Starbucks, a member of the intelligence sharing center, the decision to hire a vendor rests on whether companies can provide a service that will help protect the coffee company’s brand, Mr. Estlick said.

In one case, Starbucks outsourced an important role that was beyond its expertise, according to Mr. Estlick. Starbucks for four years has relied on a cybersecurity vendor to help fend off hackers who plug lists of stolen usernames and passwords into automated tools, then use those tools on Starbucks’ website and applications to try to access customer gift card accounts. The company hired the firm in 2014 after breaches at other organizations resulted in cybercriminals selling batches of usernames and passwords on the dark web, said Mr. Estlick. Roughly 20% of those breaches included valid Starbucks credentials because customers re-used their name and password on multiple sites, he said.

“Let’s say another site loses those accounts but those accounts also work within Starbucks,” he said. “Where do you think the customer is going to see the problem manifest itself first? At Starbucks, which is often a daily routine. It’s really someone else’s issue, but it’s my brand that’s getting impacted.”

Mr. Estlick in an interview with WSJ Pro Cybersecurity explained why he assigns some cybersecurity work to his own staff, and why he hires outside firms, which he declined to name. Here are edited excerpts.

Q: How do you decide which cybersecurity tasks to outsource?

A: My mission statement at the security department is brand protection. It’s a foundational element in the decisions we make.

If it’s a commodity service, we’ll look to contract that out so I can place my resources on more critical tasks. On the other end of the spectrum, it would be something we don’t have the capability to do.

I’ll give you two examples of what we outsourced and the decision behind it. One is around threat intelligence. [On] many of the forums on the dark web, you actually have to be vetted before you’re allowed access. In many of those they will ask you to perform something that’s illegal to get in. We’re certainly not going to do that. It’s not brand appropriate. But I can contract with another entity without specific knowledge of how they have access to these forums to be able to get the benefit of that information.

The other is around bug bounties, being able to essentially crowdsource a solution and get many different individuals from different backgrounds and experience levels looking at the problem.

Q: Which cybersecurity tasks do you assign to your in-house team?

A: We do all security architecture, which is understanding the environment and the initiatives that are going on. That’s done completely in house. Identity management is done in house. Remote access management is done in house.

The others things are security engineering, application security and security operations. We did have security operations outside for several years with different providers but we realized we weren’t getting the value ... because most items were getting pushed back onto my engineering team for more analysis and review.

The mobile app is based on a distributed development model internationally. We do the development for English-speaking markets. If it needs to be localized for specialized content or … for language purposes, then the app development is distributed to international partners. However, security is not distributed.

All applications come back to my team here in the U.S. for application [penetration] testing and security code reviews. We have an application security team, which is a manager and five individuals.

They’ll do app security reviews of all the internally developed applications, whether it’s upgrades to point-of-sale or other things. We give the green light before the latest mobile app is released either to Google Play or the iTunes App Store.

They also run the response to our formalized bug bounty program. They have to validate the findings and are responsible for issuing rewards.

The amount of [code] review is dependent upon the features of the application. We have some markets where the mobile application is as simple as just a store locator that tells you where the nearest store is located. Others have … loyalty programs or include payment. Here in North America and Europe we have mobile order, so there is a lot more rigor that goes into testing that.

The focus of our testing is not the features or functions. We’re not looking to make sure the features are working as designed. We’re working to break the applications. Is there a way I can hijack sessions? Is there a possibility for data leakage? Do I have a potential issue around denial of service on the back end, or input validation issues?

Q: Which other security responsibilities do you assign to vendors?

A: Every once in awhile there’s a shift in the threat landscape where we’re seeing new approaches and different types of attacks that we planned to address in future years that need to be brought forward.

There’s a [service] we purchased [starting] in probably 2014 that’s part of the overall platform to knock down automated attacks.

We’ve identified where the potentials are for abuse on our [applications] and websites and send those to the vendor for validation. It takes milliseconds to do that.

Q: What should other companies keep in mind about their own outsourcing model?

A: First and foremost, especially for the security leader, they need to recognize they are going to be held accountable whether they’re providing a service internally or through a relationship. Risk can’t be outsourced. Your board and executive team still will hold you accountable at the end of the day.

Through that lens, you need to look at what services you’re putting out there and why that makes sense. If you put yourself in the situation of having to have a difficult conversation because a certain capability had issues or created risk, how comfortable are you standing in front of the executive team explaining why you made which decisions and why it was and is likely still the right decision for the company.

Article originally published on wsj.com

Top ORC Cases

North Haven Man Pleads Guilty in U.S. Court to Role in Large-Scale $5.9M Fencing Operation

Worchester, MA: Man held on ID theft charges worked at store tied to $3.6M food stamp fraud

Detroit, MI: Store Owner Pleads Guilty To $2M Food Fraud

Houston, TX: Thieves smash display cases, make off with $2M in jewelry