The Retail & Hospitality ISAC Podcast 9.13.23
Ep 35 | 9.13.23

Cybersecurity Awareness Month & SEC Updates

Transcript

Luke Vander Linden: Hello, Internet. This is Luke Vander Linden, Vice President of Membership at the Retail and Hospitality Information Sharing and Analysis Center, and you're about to hear the RH-ISAC podcast. Well, summer is almost over, at least for us here in the Northern Hemisphere. And while we don't quite feel that nip in the air yet, it's never too early for those of us in the retail world to start thinking about the holidays. Oh, and I'm not talking about Christmas or Halloween or even Black Friday. No, I'm thinking about the month that should be celebrated universally, Cybersecurity Awareness Month. Every October since 2004 has been dedicated to raising awareness about the importance of cybersecurity, which makes this the 20th annual Cybersecurity Awareness Month. So how does one celebrate Cybersecurity Awareness Month? Well, individuals are encouraged to do things like use stronger passwords. And by the way, do not reuse passwords. And use a password manager instead of trying to remember them. Turn on multi-factor authentication on all of your accounts. Learn how to recognize and report phishing. And when your computer or phone prompts you, keep that software updated. Companies and our retail and hospitality members, celebrating means educating their employees from office workers to fulfillment and warehouse team members to frontline associates on what they should watch out for as the first line of cybersecurity defense at their companies. I will be joined in this episode by Jay Banks, Senior Information Security Analyst for IT Risk and Compliance at Dick's Sporting Goods to talk about their security awareness program. So grab your pumpkin spice latte and celebrate Cybersecurity Awareness Month with us. Also, you've heard me for the last couple of weeks talk about the SEC's newly announced rules on cybersecurity and corporate governance. Well, finally, I brought someone on the podcast who knows what they're talking about. I'll be joined by Christian Beckner, Vice President of Retail Technology and Cybersecurity at the National Retail Federation. The NRF is a great partner of the Retail and Hospitality ISAC, and Christian's been working on this issue since the SEC announced they were working on it many months ago. He'll give us the inside scoop and what the new rules mean for CISOs and cybersecurity professionals. If all this sounds great, but your company isn't yet a member of the RH-ISAC, what are you waiting for? Go to rhisac.org/join to learn more and to start the process. Or if you simply want to tell us something on your mind on the topic of cybersecurity and retail and hospitality would be preferred, shoot us an email at podcast@rhisec.org. Or if you're a member, hit me up on Slack or Member Exchange. All right, we are now joined by Jay Banks, Senior Information Security Analyst for IT Risk and Compliance for Dick's Sporting Goods. Jay, welcome to the RH-ISAC podcast.

Jay Banks: Thank you. Thank you so much. And thank you for having me.

Luke Vander Linden: Sure, of course. So tell me, what does a Senior Information Security Analyst for IT Risk and Compliance at Dick's Sporting Goods do all day long? What keeps you busy?

Jay Banks: All right, well, a lot. I'll start right there. So first, I focus mainly on the security awareness. So I'm a security awareness lead, but acting as a security awareness lead, it comes with a lot of different responsibilities. So security awareness training, always annual security awareness training. I do phishing simulations, Cybersecurity Awareness Month planning and coordination, cybersecurity communications to all employees, all tech employees. If there are specific groups that need specific trainings or specific awareness stuff, I distribute that stuff. And then our new hire and intern orientation and training, specifically for tech and our cybersecurity area. I'm kind of the spokesperson for that. And then a lot more smaller things. We did a Capture the Flag event this year. Our technology development program, I helped to kind of work in our cybersecurity area to get that up and running. We're starting a SharePoint Knowledge Hub, getting that built and stuff. And then we're really doing kind of an overall rebrand right now in our cybersecurity area. So really, really involved in that and getting that communicated to the overall company and everything.

Luke Vander Linden: So an internal rebrand of the awareness effort is what you're after. So that's interesting. So how did you get to this point in your career and focus so much on security awareness?

Jay Banks: That is one of my favorite questions. So my background is originally management information systems. So more on the business analysis and project management side. And so when I started my career, I was a business analyst and I did that for probably six or seven years and just hopped around to different places. And I actually ended up in business continuity and disaster recovery. And at my previous organization, I was there doing that and they moved that. And of course, that's in the cybersecurity realm as well. So I was more of a product owner, business analysis in that realm. And from there, I kind of started getting little tasks when it came to phishing stuff and security awareness stuff. And I just had a few conversations with my manager. He was like, you're actually pretty good at this. I know this isn't what you do, but it looks like you got two choices for your career path. You can continue the business analysis, product ownership, product management role, or you can come on our side and start doing some cybersecurity stuff. And that's really what I enjoy doing. So I told him, yes, I started doing it. And I've probably only been doing it for about four or five years now, but I've learned so much in that time. And just being able to go right in and dig right in and start doing it, it really helped me out a lot in learning. And then I've had some great managers and mentors and everything that kind of helped me and really helped me in my growth.

Luke Vander Linden: Do you find that security awareness is something that's innate? Like you're born with it or you're not? And if you're not, is it difficult to teach? I mean, this is what you do. You have to convince these people who aren't as aware and aren't as on top of things.

Jay Banks: I'll say my role specifically, I'm conversational. I like to talk to people. I like to do stuff like this, and being able to have those communication skills in a role like mine where you have to communicate about cybersecurity awareness and make sure that people are doing the right thing, being that first line of defense, because that's what you are. You're that first line of defense before people come in and try to attack your company. So being able to speak to people and let them know and say it in a good way where they understand it is really, really important. I don't know if it's necessarily something you're born with or you develop, but I do think it's something that you have to kind of have because I do know a lot of people that are in different realms that wouldn't necessarily excel at what specifically I do. So I think it does take a certain type of person, but there are also a lot of other roles within cybersecurity that I know that I couldn't do. Right? So it totally depends on what role we're talking about and really how you are as a person.

Luke Vander Linden: We do talk a lot about career paths and cybersecurity, because it's such a young field relatively that no one really when they were kids said, I'm going to work in cybersecurity when I grow up, because it's so young. So next month, October, next month when this episode drops is Cybersecurity Awareness Month. And it has been for quite some time now. Let us know a little bit more about what that means for you and just for the industry as a whole.

Jay Banks: Yeah. So specifically in October, like you said, it's just a dedicated month for companies to work together to raise awareness about the importance of cybersecurity. So for example, last year, a lot of the stuff that we did was just sharing information through infographics, videos, and on different topics, phishing, password security, mobile security, all these different types of things just to inform our employees about how important this stuff is and how to combat these things. Right? And one of the biggest things is making it digestible for people to be able to take a quick look at something and say, hey, I understand that. So that if they see something, if they see a threat, that they say something about it. Right? So I think that the importance of Cybersecurity Awareness Month and focusing on that consistency of letting them know about the different threats that they might see either now or in the future is really, really important.

Luke Vander Linden: Sure. So you mentioned before that you do different things for your tech employees. Are you in charge of all employees in Cybersecurity Awareness or just the tech employees? And depending on who you work with, do you train them differently if you're in an office environment versus if you're a retail associate and what they have to look out for?

Jay Banks: Absolutely. Absolutely. So I do do all employees. So everybody at corporate, everybody in stores, all contractors, all people in the warehouses, everybody.

Luke Vander Linden: Wow. That's a lot. Off the top of your head, how many employees are we talking there?

Jay Banks: 45,000 plus. So there's a lot.

Luke Vander Linden: Yeah.

Jay Banks: But it's really important. And like you said, everybody has different responsibilities. Like for example, everybody doesn't necessarily have access to a computer, but there are different components of security in general. So just making sure that you are tailoring things. So we have our overall annual security awareness training that everybody touches. Right? But in tech, for example, they have to take specific trainings because they deal with different things. If we see something, a specific threat in finance or something, we might want to roll out targeted training to them. If we see something in marketing, we might want to roll out targeted training to them. So it all depends on what specific area people are in. But at the same time, you do want to have that blanket kind of high-level training, but you do also want to drill down into things depending on the threats you'll see in different areas.

Luke Vander Linden: So what are some of the things that might fall into those blanket security awareness that everybody should know?

Jay Banks: So phishing is one of the biggest things. One of the biggest things that we harp on, if you see a specific email and something doesn't look right, make sure you're checking the link. Make sure you're checking the subject. Make sure you're checking who sends it. There's a lot of things to look for specifically. So just making sure that people understand to look out for those key things. And if you see something and you have any type of red flag at all, just reach out and ask your IT team, ask your cybersecurity team, hey, is this okay? Hey, it's always better to do that than to end up clicking on something and there's a vulnerability right there. So that's one specific thing, but there are all types of different things that we could be talking about.

Luke Vander Linden: Yeah. So how often do you send phishing tests, would you say, roughly? Obviously, you don't want to tip your hand.

Jay Banks: We do monthly.

Luke Vander Linden: Yep. Okay. The ones that we get were at the RH-ISAC have really improved in quality. They're quite tricky. And particularly if you're reading your email on mobile, where you can't hover over a link -- it's almost got me. It's never gotten me yet. But we actually have a member, and I'm not going to name names because we can't, they're quite draconian in their security awareness training. And that if you fall for a phishing exercise four times, you're fired. Does Dick's do anything like that or have any kind of penalties for those who fail?

Jay Banks: We do not have any policies like that in place. I will say, just backing up a little bit, this is one of -- it might sound bad, but this is one of the most fun parts of my job. I can be creative. I can craft phishing emails. If I see specific phishing emails that come to me, or I know things that are going on in the world, I can build something specific and send it out to people in the company and everything. So that's one of the most fun parts of my job is doing that and creating the training and everything. And then when it comes to discipline and everything, I think that really people are really hard on themselves when they realize that they've clicked on a phishing test. I don't see too many, and like I said, I send them out to a whole bunch of people, so I don't necessarily look through every single name, but I don't see a lot of repeat offenders, specifically where I am at my previous company. We didn't see too many repeat offenders because you get bit that one time and you're checking every single time for it. Right? So you accidentally click on that link one time, you're like, oh my God, I'm going to get fired. And that's what people think. And it's just like, no, I feel like that's a learning lesson for you. Now, if we get into the, okay, you're doing it over and over again, then maybe some supplemental training and some targeted training for you, and then we can work like that. But haven't gotten to the discipline level of that yet, but it's always really interesting to hear people's different perspectives on those things.

Luke Vander Linden: Right, right. So I guess that's a good entree to the Security Awareness Working Group, talking about hearing different perspectives. Tell me a little bit about what that group covers and how you can collaborate with your fellow retailers in that group.

Jay Banks: It's really been great. So I've been at Dick's for the last year and a half about, and at my previous company, we didn't have anything like this. So I went to the summit last year and I went to the regional, because they had a regional one here where I'm located, and I went to both of those and that's where I could just -- and it was my first time doing something like that. So I could interact with different professionals that were in my same realm and did what I do essentially. And it was really good to hear the different speakers that they had and interact with different people that are at other companies that do the same thing that I do. I talked about building the Knowledge Hub and our SharePoint site right now, and we're trying to get that up and running. And it was one of the first things I did was reach out to the group and say, hey, does anybody have any experience in doing this? Have you done it before? And I had replies like, hey, I've done this before. We can help you. Would you like to meet? And I've done it with many other things, and people are very, very eager to reach out and help. And it is so helpful for me because if I have no experience doing something, but it's something that you've done 500 times before, of course I'm going to lean on you to try to help me out if you're willing to help me out. So it's been great.

Luke Vander Linden: And vice versa. So tell me a little bit more about this Knowledge Hub that you put together and what's in it and how it's shared.

Jay Banks: So what our goal for it is really is we want to have a central location where all teammates are -- that's what we call our employees, teammates -- are able to get quick information about cybersecurity without the need to email us and wait for a response and stuff. So what it really entails is a lot of different things. We're going to have things in there like an FAQ page, cybersecurity resources, cybersecurity contacts, who to contact for what, our policy standards and guidelines, and like an about us page where it's kind of, we have some pictures that we've taken as a group where you can kind of personalize the group that you work with because, you know, a lot of people think of IT as this hole, right, and people that you don't ever see, cybersecurity even in particular. So we've taken pictures and we kind of put them out there. And we did a video last year where we did like, what is cybersecurity? And we asked that question to, I think, four or five teammates. And it was a really, really nice production. And we just put it on the screens around our customer support center. And we sent it out on our intranet and via teammate communications and those kinds of things. And we got a really good response to it. And it was also something where people could see us and like, we're people. Yeah, this is something you don't have to be scared to reach out to us. You don't have to be scared if you click on something, just learn from your mistakes and we'll be good. But I think that that's one of the things that we're trying to do with this hub is have people be able to come out there and come and get information that you may need, quick tidbits. If you do need something and you don't know where it's at, you don't know where to go, we're going to have that on there too. So I need this particular thing. I don't know where to go with it. It'll at least tell you who to contact to get some information. So I really think this is going to help us. And specifically, we're going to roll it out in Cybersecurity Awareness Month. So this is one of our bigger undertakings where like, okay, first week of Cybersecurity Awareness Month, boom, we have this new thing. Everybody go to it. We're going to have information overload on there so that you guys can get anything you need. And you can see any past trainings. You can see our video that I just talked about where it kind of shows us as people and stuff. So it's going to be a lot of great things on there. And I'm really excited to get it up and running.

Luke Vander Linden: That's terrific. So for your teammates that have access to a computer, obviously, they'll get it just through the internet, as you mentioned, SharePoint. What about those associates who aren't on a computer? Or just maybe, do they get it on their phone?

Jay Banks: You know what? That's a bridge we haven't crossed yet. So I think it's going to be interesting to try to get them involved. But I think that that's something that we've been talking about that we're trying to figure out, hey, because there are things specifically in the store that are PCI stuff and all these type of things that those employees need to know too. So we do need to make sure that they have access to these kind of tools and stuff so that if they see something or if they have a question about something, they're able to just reach out to us and ask us these things.

Luke Vander Linden: Yeah, we didn't really talk about some of the awareness efforts that are just specifically for an in-store associate that's different than a desk associate.

Jay Banks: Yeah, it's very different because like these days, for example, you have all these skimmers and people trying to take your credit card information just with you putting it in the card reader and stuff like that. And it's really important to make sure that employees understand that those kind of things can happen and watch out for people who may be fiddling around with the credit card reader or doing something just to make sure that they don't have that opportunity to do that. Right? So they see different things than we see, and we see different things that they see. So it's always important. Like I said, we have that high-level training, but at the same time, we have these trainings targeted for specific groups that we want to make sure that we're covering all our bases because different groups are going to see different things. We might need to go a level deeper on certain things for certain groups.

Luke Vander Linden: So a lot of social engineering and a lot of physical security is kind of crossing the line over into the physical world, right?

Jay Banks: Yes, absolutely. Absolutely.

Luke Vander Linden: Excellent. So for our members who want more information about the knowledge hub that you put together, I'm sure that's part of the Security Awareness Working Group, and there's some materials from the meeting that you presented that as well. What else would you say is coming up once you launch this successful initiative next month? What else do you have coming in on the pipeline, would you say?

Jay Banks: So we're kind of doing it in phases. So first, we have a smaller launch currently right now that's just our cybersecurity team. So they can go in and see, and they can let me know if they see something that they don't like, let me know what content they might want to be added. Like I said, we have FAQs out there for different areas, that kind of thing. And then so, like I said, we want to do October for the overall launch. And then we want to work to do like those little different groups that I talked about, do things for like a tech only space, right? Kind of roll that out to tech. And so we want to make sure that this is built on a consistent basis. We talked about doing a blog corner where we have different areas in cybersecurity, our different employees write different blogs and maybe release one every month on the hub. We want to make sure that we have as much engagement as possible on this, and that the content stays fresh. I think that's one of the most important things in what we do, just because things change so quickly. You have so many things that change so quickly. And that's what makes my job so interesting is, I could run a phishing test this month about something that's happening right now, and it could be totally irrelevant in a couple of months, right? It's really important for me and for a thing like the hub and all of our teammates to stay up-to-date and current. And we want to make sure that the hub is doing something like that, making sure that we keep current fresh content out there and people are always able to access it.

Luke Vander Linden: Yeah, it's always fascinating how current events are used by threat actors and phishing. Like when there was a couple of the banks failed a couple of months ago, and they totally capitalized on that and sent people, your bank might be failing, click here to log in or change your password. And of course, a segment of the podcast doesn't go by where we don't talk about AI. These phishing attempts are getting much more sophisticated because of AI. Are you using that at all in your job?

Jay Banks: So we are currently, I am currently actually in the process of developing. So we just wrapped up our generative AI guideline document. So I'm in the process of developing a training for that. So it should be completed within the next -- this is one of the things we want to roll out for Security Awareness Month too. So it should be completed within the next month. And then it's a two- or three-minute video, just something that we want to go out to our employees to say, hey, these are our guidelines around using generative AI. We're not saying, hey, don't use it. But we're saying, hey, these are the guidelines. If you're going to use it, please follow these guidelines. But it's a big thing right now. And I think we're in the process of where we're trying to tow that line of saying, hey, no, you can't use it and letting you just go willy-nilly and crazy and just using it for everything, right?

Luke Vander Linden: Right. Because you can't tell people they can't do something. They'll just do it on their own device.

Jay Banks: Exactly. Exactly.

Luke Vander Linden: But reminding them, making them aware, security aware of the information they're putting into it is really important. Well, you have a lot on your plate. So I'll let you get back to it because there's just a couple of weeks left before Security Awareness Month. Jay Banks from Dick's Sporting Goods, thank you so much for joining us on the RH-ISAC podcast.

Jay Banks: I appreciate you guys having me.

Luke Vander Linden: All right. And now I'm joined once again by Christian Beckner, VP of Retail Technology and Cybersecurity at the National Retail Federation. Welcome back to the RH-ISAC podcast, Christian.

Christian Beckner: Thanks, Luke. Good to be back.

Luke Vander Linden: It's been a couple of months since you joined us. The last time was when we announced the partnership between the NRF and the RH-ISAC, and that's been going great. We collaborated on some activities at the NRF Protect Conference earlier this year, and you'll be moderating a panel at our summit coming up later this year.

Christian Beckner: Yeah, it was great to have RH-ISAC at the NRF Protect event back in June, and we're looking forward to our participation in the RH-ISAC summit next month.

Luke Vander Linden: Excellent. So it's been a busy summer for all of us, but it's also been a pretty busy summer for the Securities and Exchange Commission, the SEC.

Christian Beckner: Yeah. So the SEC finalized its rule for cybersecurity disclosure for publicly traded companies last month. This is something we'd been expecting for over a year based upon the initial version that was released, and so they finalized it in late July with some significant changes, but some still significant work for publicly traded companies to have to work on over the next few months.

Luke Vander Linden: So give us a little background. You said they finalized it, and I know that at some point, I can't remember exactly when, they had released some proposed rules. How does this process work, and what was the process for you guys?

Christian Beckner: Sure. So there was a proposed rule issued in the spring of 2022. Several hundred entities, including NRF, commented on that proposed rule, provided feedback in terms of its practicability and different issues related to different legal issues. So based upon the feedback they received from different entities and also from different government agencies that were affected by this, they came out with their final version of the rule, which made some significant changes to what was in that in terms of, you know, we think in a positive way in terms of what is actually sort of practical and feasible for implementation.

Luke Vander Linden: So what do the finalized rules say, and how will that affect CISOs and other cybersecurity professionals at publicly traded companies?

Christian Beckner: So the final rule has key requirements for publicly traded companies in three areas. First, it has requirements for disclosure of material incidents. It requires companies to disclose defined material incidents for cybersecurity and then report those within 96 hours. So that creates a lot of new work that companies will need to do to be able to sort of determine materiality of the cybersecurity incident and then have that mechanism to report it. There are some exceptions in place for when there's an ongoing investigation. The Department of Justice can request that these disclosures be delayed. So that was a new element to compare with what was in the final rule, but that is a significant thing that companies are going to have to work on over the next few months as this goes into effect. And I should add that the deadlines for all these new requirements are in December of this year, so a pretty short timeframe for companies to address.

Luke Vander Linden: Yeah, so are there any guidelines for defining what materiality is, either from past incidents or past SEC rules?

Christian Beckner: Yeah, there's some history there. And without going into too much detail on it, companies have already been required to sort of make disclosures of material incidents in a less timely manner. So it's not necessarily a new process. It just sort of accelerates the process by which companies are going to have to make these types of disclosures to the SEC. So the second area that the rule covers is sort of cybersecurity risk management within the company. There are a number of requirements in the final rule for disclosing your cybersecurity risk management practices in your annual report, providing sort of guidance on how you're working with third parties, the steps you're using to assess your internal cyber risk management practices. So there are some elements of what was in the initial rule that were sort of taken out where some of the things were less practical in terms of being able actually to implement this, but that there's still some significant requirements there for companies to address. And then the third issue is around cyber risk governance. So there are requirements for boards of directors to be more cognizant of cybersecurity risk. The initial version had a requirement that board members would have to have specific expertise around cybersecurity. That was changed to require that expertise to be in terms of management of cybersecurity, but within the management team of the companies. So there is now not a requirement for the board itself to have that expertise, but there still is a clear direction that boards need to be exercising oversight of cybersecurity risk and be more cognizant of those sets of issues.

Luke Vander Linden: So how is that governed and reported to the SEC?

Christian Beckner: Yeah, so that needs to be reported in annual reports on a sort of a recurring basis by companies. You know, you can look at this in sort of two aspects. The instant disclosure requirements are ongoing. Those need to be reported, you know, as incidents happen. But the other requirements related to cybersecurity risk management and governance are requirements mainly for the annual reports that companies file with the SEC.

Luke Vander Linden: Okay, so the burden there is mostly then on the folks who normally deal with the SEC, like corporate secretaries and things like that.

Christian Beckner: Yeah, but you're going to need to -- you know, the CISOs and others on the cybersecurity team will need to be providing support to the people in the finance function or in the legal function who are preparing those reports. And, you know, just even the request for information will compel CISOs or other cybersecurity leaders to sort of have more work in terms around metrics, more work around sort of just managing and tracking performance as they're working on these issues.

Luke Vander Linden: Have you gotten any feedback from some of the retailers that you work with on some of these new rules, and particularly, obviously, from the CISOs, but at any level, the companies?

Christian Beckner: Not too much feedback yet. I mean, I think, you know, people have been realistic that this is something that they're going to have to work on and known about it for a while. So I think some companies have already been preparing. You know, I think we'll see, you know, some good discussions over the next few months as the deadlines go in place, you know, including at the discussion we'll have at the RH-ISAC Summit.

Luke Vander Linden: Right. So you said the deadline to implement these things is December. So that's not a lot of time, even though it seems like it's a lot of time, three months away. But do you have any guidance for companies in order to put these things together?

Christian Beckner: Yeah, I mean, I think there are, you know, a number of sort of consulting firms and law firms that have put out, you know, guidance and recommendations around this. So there's a lot of good public information out there. I think companies should be talking to their auditors, talking to their outside counsel that they use for cybersecurity and getting their direct guidance on this. And then, you know, I think, you know, through forums like the RH-ISAC and NRF and RIT Security Council, there's a good opportunity for companies to, you know, sort of have that conversation about, you know, benchmarking what you're doing and sort of sharing best practices that companies are addressing and preparing to address this.

Luke Vander Linden: And I imagine you'll touch on this topic at the panel you're moderating at the summit as well.

Christian Beckner: Yep, we will.

Luke Vander Linden: In about a month. So maybe we'll be one month further along in the process. What was the NRF's role in this? I know that you were soliciting feedback when the SEC released their initial version of things and were soliciting comments. But typically, when something like this comes down either from a rulemaker or a lawmaker, what does the NRF do?

Christian Beckner: Pretty typical, as a trade association that we file, you know, comments on things like this and provide our guidance. A lot of times that's based upon member input. The comments that we filed in response to the initial version of this rule were based upon input that we received from a number of members who discussed this. So, you know, so that's a typical thing we do for, you know, rulemaking in a variety of areas, you know, across the board.

Luke Vander Linden: And were you pleased with the changes they made, either personally or as an entity?

Christian Beckner: Yeah, I don't know that we have an official position on this, but in terms of just looking at sort of, you know, looking at this as a, you know, somebody who understands sort of cybersecurity practitioners and, you know, the issues that they work through, I think this definitely reduces the burden on, you know, on companies and from a compliance standpoint and focuses around sort of the higher-risk things that they need to do. Some of the things that they took out were, it was unclear sort of what the benefit of this would be either for the SEC or for cybersecurity risk management generally. So I think, you know, from a directional standpoint, this is moving towards something that can be implemented, you know, more effectively and efficiently and will satisfy the objectives that the SEC has had in moving forward with this in terms of protecting shareholders and their other sort of, you know, ongoing concerns.

Luke Vander Linden: Excellent. So looking ahead, can you tell us anything else that might be bubbling up from either the SEC or Congress or any place else in the government?

Christian Beckner: So there is quite a bit going on now on, you know, cybersecurity policy generally. You had the National Cybersecurity Strategy, which was issued in the spring. And then, you know, a couple months ago, the implementation plan for that cybersecurity strategy was issued. So, you know, coming out of this, you now have a number of sort of follow-on initiatives by the Office of the National Cyber Director at the White House and by the National Security Council staff. For example, you saw the National Cyber Workforce Strategy was released in, you know, last month. You had the final rule related to IoT security for consumer devices be issued. So definitely a lot of sort of ongoing, you know, sort of activity related to cybersecurity best practices. You have a big emphasis on sort of secure by design within CISA right now. So just, you know, a lot of ongoing efforts, you know, that we'll continue to track and continue to, you know, provide sort of guidance on.

Luke Vander Linden: Well, Christian Beckner, VP at the NRF in charge of cybersecurity and other technology. Thank you very much for joining us on the RH-ISAC podcast again.

Christian Beckner: Thanks, Luke, and look forward to seeing you in Dallas next month.

Luke Vander Linden: Thank you to both of my guests, Christian Beckner, Vice President of Retail Technology and Cybersecurity at the National Retail Federation, and Jay Banks, Senior Information Security Analyst for IT Risk and Compliance at Dick's Sporting Goods. You know, Jay is an active member of the RH ISAC Security Awareness Working Group, which is one of about 20 active working and collaboration groups the RH-ISAC hosts for its members, ranging in topics from fraud to operational technology to identity and access management to third-party risk management. RH-ISAC members can add as many of their team members to as many of these working groups as they need to to do their jobs better. Keep that in mind and let our member engagement team know when you need someone added. I also want to point out that, as I mentioned, Christian is moderating a panel at our upcoming Cybersecurity Summit in Dallas next month, which really is turning into the don't-miss event of the fall. Christian's fellow speakers include Danine DeFiori, VP and CISO of United Airlines, White Hat Hacker Karen Elazari, Lowe's VP and CISO Mark Varner. Check out the whole list of speakers and the agenda at summit.rsisac.org, and don't wait, register today. The Summit, the Emerging Tech Showcase, the CISO Roundtable, the Dinners and Dialogue, a lot of events coming up. I hope we can see you in person at at least one of them coming soon. However, if you prefer to stay hidden behind your keyboard, that's fine too. Shoot us an email at podcast@rsisac.org, or if you want to discuss anything you've heard today, or if you have an idea for a podcast segment, or even if you want to be on it yourself. As always, thank you to the production team who tried their hardest to make this sound good. For the RH-ISAC, that's Andy Chambliss and Marisa Trosinecki, and from N2K Networks, formerly known as The Cyber Wire, that's Trey Hester, Jennifer Eiben, and Elliott Pelzman. Thanks, as always, for listening and stay safe out there.