Ever heard of a CISO? That stands for chief information security officer, an executive who is focused solely on a company’s cybersecurity.
The title dates back to the 1990s, when the internet was young and cybercrime was growing. Today, most large companies have a CISO, including 100% of Fortune 500 companies as of 2022, according to Cybersecurity Ventures.
But the title remains uncommon in the restaurant industry, which is by and large still in the early stages of digitization. Many restaurant companies have a CTO or CIO who oversees IT including cybersecurity. But some are now narrowing their focus as cyberattacks become a bigger threat.
“You’ve seen that digital presence [grow],” said Nathan Hunstable, CISO for CEC Entertainment, the parent company of Chuck E. Cheese’s, during a panel at the FSTEC conference on Tuesday. “Security’s just now trying to keep up.”
Hunstable joined CEC in July after years of managing IT for theater chain Cinergy Entertainment. As CISO, his job includes creating a governance, risk and compliance (GRC) strategy, ensuring franchisees are taking proper security measures, and training employees on best practices.
Though his title starts with a C, Hunstable tries to stay out of the spotlight as much as possible. “When you’ve been doing this as long as we have, you kind of realize you want to stay under the radar,” he said. Too much attention usually means something is wrong.
Hunstable acknowledged that hiring a CISO and the investments that entails are no small cost for a restaurant company. But he encouraged even small brands to devote some resources to the issue, such as installing security software that can help fill some of the gaps a CISO might address.
The prevalence of cybercrime and the costs of dealing with an attack can’t be overstated. There are more than 3.4 billion phishing emails sent every day, said Afia Phillips, CISO for Little Caesars Entertainment. The rise of artificial intelligence has only added fuel to the fire. The average cost of a data breach, meanwhile, is more than $3.3 million for hospitality companies, according to IBM.
“And the bad guys only have to be right one time,” Phillips noted. “We have to be right all the time.”
Phillips got into cybersecurity in the wake of 9/11, when there were growing concerns about the threat of cyberwarfare. After working in cybersecurity for the city of Detroit and then automaker Daimler, she joined Little Caesars as VP of information security in 2021. She was promoted to CISO in June.
Phillips said having a CISO gives companies a competitive advantage on multiple fronts. The first is that a cyberattack can damage a brand’s reputation.
“You want to make sure your customers trust you with their information,” she said. “If your brand is out in the media as far as having weak security controls, being hacked, all those things are definitely a black eye to your brand.”
The second is that, if a cyberattack does happen, it’s vital to be able to quickly get operations back up and running. A CISO would ensure there’s a plan in place for that scenario.
At the same time, Phillips said her job is not to scare people, but to help the company understand its risk tolerance and create guidelines that align with it.
“Cybersecurity in some ways can be so sensationalized,” she said. “Say for instance I did click the [phishing] link. Is that the end of the world? If one record was compromised, is that OK?” If not, then the company should adjust its standards accordingly.
Here are four quick tips from the panel:
- Don’t use ChatGPT for programming (at least not the free version). “They’re pumping your data into a system that is not a closed system,” Hunstable said.
- An attack on a vendor can affect your company. Phillips used the example of a hacker taking over a vendor’s email system and impersonating them for nefarious purposes—a scenario she said is fairly common. “You have to think about third-party risk management,” she said. “Are they educating the people in their organization? Because if not, that could be a blind spot for you.”
- Cybersecurity training is never over. Training materials should be kept up to date to reflect the latest threats, Phillips said. Hunstable sends out a monthly newsletter with current best practices and conducts regular phishing simulations to keep the topic front of mind for employees.
- Keep it simple for the CEO. Explain the risks of a cyberattack in terms of how it would affect the business and the bottom line, Hunstable said. “If you get into the weeds of the technical, most of them just aren’t going to follow it.”
Members help make our journalism possible. Become a Restaurant Business member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.