220 likes | 227 Views
Discover the leadership responsibilities and technical challenges faced by Merlin Namuth in managing the security program during the Sports Authority bankruptcy. Learn valuable lessons on vendor management, access removal, data preservation, and more.
E N D
Business Folds: Security Doesn’tSports Authority Case Study Merlin Namuth CISSP, PMP, GCFA, GCIH MASH-F03 Director of Standards, Risk, Compliance and Security Red Robin Gourmet Burgers, Inc. https://www.linkedin.com/in/merlin-namuth-904a5b11
Agenda Introduction Company Background Leadership Responsibilities Technical Challenges Application
Personal Experience • 22 years in IT – last 19 in Security • First computer was 486SX-25 with 4 MB of RAM • First security class was Checkpoint 4.0 • Worked in Retail, Financial Services, Defense, Healthcare, Oil & Gas • Leadership • Built and managed security programs in Retail, Oil & Gas, Government, and Healthcare • Led incident response teams to resolve over 200 incidents • Earned a Master’s degree in Social Work • Earned a Master’s degree in Finance • Technical • Enterprise forensics, incident responder, architecture, engineering
Sports Authority Background • Started in 1987 • $2 Billion a year revenue • Over 450 stores in the U.S. and Puerto Rico • 15,000+ employees
Sports Authority Issues • January- chose to not make interest payment on part of the debt • Goal: Lenders would renegotiate debt • Leaders thought this strategy would work
Sports Authority Issues • Lenders did not renegotiate debt • March - Filed Chapter 11 Bankruptcy • Goal: Lenders would renegotiate debt • Other sporting goods retailers showed strong interest in buying the company • No offers before bankruptcy auction
Sports Authority Issues Only bid at the bankruptcy auction was from a liquidation group
Leadership Responsibilities Doing the Right Thing • Taking care of employees • Helped staff with their job searches • Keeping the company secure • Still had a job to do
Leadership Responsibilities Every employee given date when role would end Retention bonus announcement came after several people had left Accrued vacation not paid out Low unemployment in security = good external offers
Leadership Responsibilities • During the different phases of the business process: • Encouraged team • Provided a listening ear • Transparent about my own hopes and concerns • Didn’t gloss over anything
Leadership Responsibilities Vendor Management Some contracts canceled early Some contracts renewed No new contracts Soured relationships as vendors weren’t getting paid or paid on time Points of contact leaving and nobody knowing about a vendor issue
Technical Challenges Removing access for nearly 400 employees in 1 day Created a PowerShell script to remove AD access Manual sync with Google HR wanted to shut down access at 5:00pm Physical access
Technical Challenges Maintenance Expiration 2-Factor tokens expiring Maintenance on IPS expired Recovering from aged systems failures could be issue with strained vendor relations and maintenance renewals not being paid Disaster recovery
Technical Challenges Closing 450+ Stores Didn’t fully understand what systems were in each individual store Remote wiping Removing access
Technical Challenges Corporate Office Closure • Lack of detailed data processing flows • What security controls could be turned down without compromising security posture • Employee purchase • Wiping SSD drives on Macs • Difficult to verify wipe
Technical Challenges Preserving Company Data • What data to keep? • What laptops/workstations should be archived? • Where to store? • How much storage? • Security of the storage and transport of data to this storage • Hash files to ensure integrity • What about the systems that created the data? • May have to gather data for legal reasons • How long data should be stored? • Legal implications of data retention
Lessons Learned Be transparent with employees and supportive Communicate with vendors Keep fighting for not relaxing security Be creative to solve difficult problems
Application • Next week you should: • Spend time with your staff, co-workers, and vendors to start building strong relationships • In the first three months following this presentation you should: • Understand your different vendor contracts • Develop process for disabling a large number of user accounts in a short amount of time if your company has a mass layoff • Identify where critical data resides and develop process for how to securely delete it • Work with staff to cross train, in case a key member leaves
Thank You! Merlin Namuth https://www.linkedin.com/in/merlin-namuth-904a5b11