CISO Spotlight & Deep Dive Into Working Groups
Luke Vander Linden: Hello, and ho-ho-ho, good little boys and girls. This is Luke Vander Linden, Vice President of Membership at the Retail and Hospitality Information Sharing and Analysis Center, and our gift to you this week is the RH-ISAC podcast. [ Music ] As this is the busiest time of year for the elves, reindeers, and other cybersecurity professionals in the retail space, I imagine most of you are heads down, busy working, and not listening to your favorite retail and hospitality cybersecurity podcast, but for those of you who are out there, we have a couple of great interviews for you. The first is with Paul Suarez. Paul is the CISO of huge convenience store group Casey's. He's responsible for the security at Casey's' over 2,500 stores across the U.S. Midwest. They're the largest U.S.-based convenience store chain and, fun fact, as those of you who live in their service area know, Casey's is famous for their pizza, which makes them the fifth largest pizza chain in the U.S. as well. You know, we recorded the conversation with Paul at our summit in Plano, Texas, back in October. We actually recorded lots of interviews there because it was such a great opportunity, with so many CISOs and other cybersecurity professionals all in one place at one time, and it's not just a great opportunity for podcast recording, but for attendees. Imagine rubbing shoulders and talking shop with such an esteemed group of your fellow cybersecurity professionals. As you've heard me announce before, our next summit is in Denver, Colorado, April 9th through 11th. Registration is open and already humming along. Just go to summit.RH-ISAC.org for more information. Now, back to this episode, I also sit down with my colleague, Jackie Deloplaine. Jackie is a relatively new staff member of the RH-ISAC but already making her mark. She's responsible for the smooth operation of our working groups, although I'm sure she'll remind me that they are member-run. We have just about two dozen of them, mostly built around professional domains in the greater cybersecurity landscape. I say "greater" because as the definition of cybersecurity keeps creeping larger and larger, not all of these domains always report up to the CISO, and I remind you that if you are a member, there is no limit to the number of your teammates that can participate in your membership. It's all you can eat, so grab those folks down the hall in third-party risk or identity and access management and let's get them signed up for a working group that will help them protect your company and your customers even better. One other note before we get started, this will be the last episode before the Christmas season. Yes, usually we publish one episode at the beginning of the month and one at the end. We're taking the second episode of December off this year. I don't know if you or our other listeners will consider that a gift or coal in your stocking. That's up for you to decide, but I truly do you want to thank you all for listening this year. This also means it'll be the last episode of the year. When we come back next year, we're going to kick off a series of amazing interviews that our president Suzie Squier did with some of the CISOs that founded the RH-ISAC. Why? Well, 2024 is our 10th anniversary. It's been quite the decade, not just for our organization but also for cybersecurity, as an ever-changing and adapting profession. We have a lot to celebrate and to reflect on, so something to look forward to starting in January. Of course, if you have something cybersecurity-related that you'd like to contribute to that celebration and/or reflection, shoot us an email at podcast@RH-ISAC.org, or if you're a member, hit me up on Slack or Member Exchange, and if your company is not yet a member of the RH-ISAC, make a New Year's resolution to join. Go to RH-ISAC.org/join to learn more and to start the process. [ Music ] Excellent, we are joined now by Paul Suarez, CISO and VP at Casey's General Stores. Welcome to the RH-ISAC podcast.
Paul Suarez: It's good to be here. Good to be here, Luke.
Luke Vander Linden: Excellent, so it's good to see you again. I think I saw you last at the NRF Big Show in New York. That was great. So you're very active in the retail cybersecurity community, and you're a native New Yorker, I think, so you were visiting home at that --
Paul Suarez: Born in Queens, absolutely.
Luke Vander Linden: That's excellent. So tell us a little bit about how you got to where you are today at Casey's General Stores.
Paul Suarez: Okay. Well, I'll try to make a long story short.
Luke Vander Linden: Okay. That's okay.
Paul Suarez: Born in New York City, raised in New Jersey, wanted to be a pilot for the Air Force, so I went to the Air Force Academy. Colorblind, so I didn't fly for the Air Force, but I still served a career because I was enjoying it. It was in technology, and towards the tail end of my career, I was doing some cybersecurity-related things for the Air Force and I realized this may be a big industry.
Luke Vander Linden: Excellent.
Paul Suarez: I should consider going into this after I retired, had the fortune of joining a startup, Net Witness, a cybersecurity startup.
Luke Vander Linden: Okay.
Paul Suarez: So for my first three years after I retired from the Air Force, I was working with cybersecurity manufacturers, Net Witness, Avaya, for the first three years, but I wanted to get back into the operations side, and so that's what led me to Walmart, moved down to Bentonville, Arkansas, security engineering, international CISO at Walmart, and then Casey's came calling and I said, "Yes, I will, move from Arkansas to Des Moines, Iowa," be the first CISO for Casey's, and have been now in Des Moines and with Casey's for about two and a half years.
Luke Vander Linden: That's great. Probably a big change for a boy from New York to
Paul Suarez: My first time living in the Midwest and I think I had only visited a handful of times my entire life. So yes, I'm learning about the Midwest. I'm trying to get out and visit as many sites as I can and kind of be a Midwesterner.
Luke Vander Linden: Excellent. Well, thank you for your service in the military. We have a lot of veterans who work in our industry, which is -- so it's kind of neat, and it's a great area for training for cybersecurity, it seems like.
Paul Suarez: It is, and that's one of my passions, Luke, is trying to hire and develop veterans to be able to work in this industry because it's a natural path for many of us into the defense industry business, basically selling back to the U.S. government, but I chose this path, working on the civilian side, if you will, in industry, and I think there's a lot of opportunities for veterans to do that because, like you said, we're naturally guardians, if you will, in a personality type of construct, and so cybersecurity is just a natural fit for many veterans, and yes, I'm very passionate about that and have seen a number of veterans in the space, which is refreshing.
Luke Vander Linden: Yeah, that's great. So Casey's General Stores, I think it's the third largest C-store owner-operator in the country. Is that right?
Paul Suarez: Correct, yeah, third.
Luke Vander Linden: And I'm not in the service area, so I've never been to one, but I hear pizza is a big deal.
Paul Suarez: Correct, yeah, so that's -- Casey's made their name with pizza. Gas station pizza is a thing in Iowa. We love talking about it, but third largest convenience store chain in the U.S., fourth highest number of liquor licenses in the country.
Luke Vander Linden: Oh, wow.
Paul Suarez: So we obviously sell beer and wine in all of our stores, and the fifth largest pizza chain in the U.S.
Luke Vander Linden: That's amazing.
Paul Suarez: Yes.
Luke Vander Linden: And how many locations are there?
Paul Suarez: Casey's is at 2,500, moving towards 2,600 locations in a 17-state footprint centered around Iowa and the Midwest, but we just bought our first stores and we're starting into Texas --
Luke Vander Linden: Oh, wow.
Paul Suarez: With an acquisition of a chain called "Lone Star."
Luke Vander Linden: Okay. So that's a pretty quick growth, and I -- is most of it organic or is a lot -- most of it through purchasing of other properties?
Paul Suarez: Combination of the two. I asked that same question when I started with Casey's. We still build. We call them "NTI," new-to-industry stores, in the neighborhood of 30 to 60 per year.
Luke Vander Linden: Oh, wow.
Paul Suarez: And then we've added, through acquisition, the remainder, because to stick with our three-year strategic plan, we need to add about 100, 110 stores per year so that we can get to the number that we've promised the street, which is 350 over our three-year strategic plan period, which this is the first year of it.
Luke Vander Linden: That's incredible, and for you, in your role, to have to protect that --
Paul Suarez: Correct.
Luke Vander Linden: Expansion so quickly, that's a lot of challenges, isn't it?
Paul Suarez: It is, because there's the due diligence of the assets we're going to buy. Are they set up to accept payment card industry standards? Are there any other digital risks that are out there with this acquisition? Once we do buy them, there's a transition period while they still operate under their former logo, and so but we're responsible for care and feeding of the entity, and then we'll convert them to Casey's at some point, and then that's where we bring in our full security stack and make them like every other Casey's, which is the scale that we bring, is that economy of scale that allows us to do what we do.
Luke Vander Linden: Can you do like a security in a box and have, like, this is the new store kind of kit?
Paul Suarez: We actually call it "store in a box."
Luke Vander Linden: Okay.
Paul Suarez: And that's exactly what we do. We have a standard set of tools that go in with a new store to include all of the other point of sale, handheld devices, things like that. That is exactly what we do so that there's a very repeatable, predictable process for buying and outfitting a new store.
Luke Vander Linden: That's great. That probably helps a great deal.
Paul Suarez: It does, yeah, and it minimizes the challenge for my team. It was actually a question I asked the CEO when I was interviewing, was how Casey's approached acquisitions. My previous company, a lot of the acquisitions were only partially integrated or they would operate as an independent entity and yet there was demand to have, you know, read and write access in the Outlook space over the Microsoft tools and sharing that, but they weren't integrated, so it produced a lot of challenges. There was a phrase we had in the company, "non-networked entity." So it meant you meant the company bought something, but we hadn't integrated them, but you were still responsible, I was still responsible for their security. Casey's doesn't do it that way. We tend to have our store in a box, we bring it in, and so you get -- it becomes another extension of our enterprise when we rebrand and you see a new logo on the outside.
Luke Vander Linden: Right. So pizza, liquor. I imagine also have lots of fuel, right?
Paul Suarez: We sell gasoline as well.
Luke Vander Linden: So that's another layer of the -- we have a lot of fuel retailers, some who are pure-play fuel and that's primary but also supermarkets that are in the fuel business. Skimmers are a huge problem, so that physical security, so a big deal.
Paul Suarez: Yeah, you're right, physical and also the digital security because one of the challenges we have with fuel is we can't use the same point of sale inside the store outside because there are a lot of fleet users that come to a Casey's. We have truck stops and they're going to fill up with, you know, a couple hundred gallons, and so a regular consumer pump won't work for them, and so we have fleet fuel or commercial fuel setup and that's a totally different payment methodology. There's different discounts they get for the volumes, and so it's a different point of sale and therefore different technology, and then we have to also provide the security against still the pump skimmers, but also there's a lot of fuel fraud that goes on when you sell 5 billion gallons of gasoline in a year and we have to defend against that and, more importantly, look for the early indicators of fraud so we can pretty much nip it in the bud.
Luke Vander Linden: Right. Do you find -- because we have a couple of other more like truck stop operators like you. Do you find collaborating with them on those particular unique issues valuable as part of the RH-ISAC?
Paul Suarez: We do. As a matter of fact, my team actually reached out to other convenience stores that are selling fuel and create like a mini-group within the RH-ISAC. I don't know what they call it, but it's a fuel and fuel fraud focus group that we share intelligence, what's, you know, going on in the industry and also try to figure out what's the best way that we can engage our law enforcement partners to help us collectively defend against the fraud that happens, you know, usually in a very regional nature?
Luke Vander Linden: Sure, yeah, because of the physical nature, it's probably often --
Paul Suarez: Correct, and that's one thing that's unique about fuel fraud is you have to present yourself at one of our stores to defraud us.
Luke Vander Linden: Right.
Paul Suarez: You know, you're eventually going to come by a Casey's to get the gas and then we just have to be able to try to intercept that transaction and not allow it to happen, or detect it after the fact so that the third or fourth time you visit we're not going to allow you to continue to defraud us
Luke Vander Linden: Right. So something our listeners may not know is that we're actually recording this in person with each other at the RH-ISAC.
Paul Suarez: We are, yes.
Luke Vander Linden: Which is exciting for us, and glad you could join us in person. You were on a panel earlier this morning and you talked about how to share, how to create a kind of culture of sharing within your department. Can you talk to us a little bit about that?
Paul Suarez: Yeah, I think one of the values of the RH-ISAC, and I think it's something that any practitioner in cybersecurity should search for is, what are the groups that I can collaborate with to help myself raise my level of awareness, raise my level of knowledge of what's going on in the industry. RH-ISAC is a wonderful tool for that, the ability for us to not just share org structures and tools that we use and maybe metrics. I've used it to ask, "Hey, what kind of metrics do any of the other members use?" But then the intelligence-sharing spaces is hugely important because -- and I'm looking at, you know, some notes from the previous summit. We're stronger together, you know, and as long as we can protect as one, my, you know, attack against me, if I can share it as quickly as possible, then maybe it will, you know, help the rest of the membership defend against it and not allow that hacker to be successful.
Luke Vander Linden: Right, that's terrific. I appreciate that a great deal. One of the newer ways that we've spun up to share is our instance of MISP, which is a great platform for cyberthreat intelligence-sharing. One of your colleagues, Diego, is doing a panel on that.
Paul Suarez: He is.
Luke Vander Linden: How do you guys implement that in your shop?
Paul Suarez: Diego drove that implementation. I think we realized there's a lot of intelligence sources out there, intelligence feeds. I'm all about having the intelligence feeds be as machine-to-machine level as possible, take out -- take the human out of the middle of it, try to make it something that's consumable, because the more the more textual it becomes, the harder it is for us to be able to build that into our defenses, build that into our tech, and MISP is beautiful in that when the information is posted, there are IOCs we can use for hunts. There are specific mechanisms we can use depending on the security stack that we're using to defend against things, and so I love the flexibility that it offers us, also the search capability for looking for like kind of risks out there, Luke, and so it's proven to be a huge benefit for us, and I brag about, you know, our ability to ingest intelligence and use that to cue us as to where the next attack is coming.
Luke Vander Linden: Yeah, the automation potential with MISP is incredible and that frees up your analyst's time to do more --
Paul Suarez: Correct.
Luke Vander Linden: Human being-related things.
Paul Suarez: Correct, you're right, yeah. Exactly.
Luke Vander Linden: That's great. So you've been in this industry for a long time, as you told us, so what are some of the changes you've seen over the course of your career and involvement in cybersecurity?
Paul Suarez: You know, I think the one that's been surprising to me, and it's actually -- it's Cybersecurity Awareness Month right now, and so I'm using it as kind of the pivot point in my discussions, and that is if we're asking you to do something to protect Casey's' information when you're a team member of Casey's, it's probably a good idea for you to do that in your personal digital lives as well. There's nothing I'm going to ask you to do, whether it's MFA, whether it's use of a password vault, whether it's locking down your browser, that you probably shouldn't also do on your personal lives, and I think the surprises used to be, "Hey, let me share that with my, you know, immediate family members and children." We need to share it with our grandparents and our older family members now because they have digital personas as well, and so if you're doing something at your company and you're not using that, leveraging that on the personal side, I think that's a little bit disingenuous, and nowadays, that should never happen because if it's good for the company, it's actually good for you personally.
Luke Vander Linden: Right. So as a security awareness from a human being level, they're your customers, too, they're your family members, they're your employees.
Paul Suarez: Correct.
Luke Vander Linden: All around it protects everything.
Paul Suarez: Right, yeah.
Luke Vander Linden: And then looking forward to the future, if you had to predict what's -- what any new hot things that I haven't brought up, those two letters, but you can feel free to A and I.
Paul Suarez: Oh.
Luke Vander Linden: You can feel free to mention anything you like, but what do you think is coming up in the future to look forward to?
Paul Suarez: You know, I think the thing that still surprises me is the desire to monetize information. I mean, the hackers really -- when, you know, I had to come up with the top threats to Casey's, clearly, data and data leakage is a huge threat, whether it's our guests or our team members, and people ask me, "Why is that?" Because it can be monetized, and I think we're sharing more information. Generative AI will make it easier to share because everything will -- a lot more things will look legitimate.
Luke Vander Linden: Right.
Paul Suarez: And so I think that for us to monetize personal information will only continue. It will only get worse because the ability for hackers to get our information is going to become easier and, therefore, how I protect guest and team member data is critically important, leveraging it, alerting on it. Is it on a third-party platform somewhere? Is it on prem?
Luke Vander Linden: Right.
Paul Suarez: Do I know, if that third party does have the data, who they're sharing it with? And so that's the area that I think is going to become much more of a challenge for us, is that desire for monetization will make hackers looking for that personal information much stronger and actually much easier to get because they'll be able to leverage generative AI and it'll be at a much higher degree of quality, basically.
Luke Vander Linden: Right, wow. Well, Paul Suarez, VP and CISO at Casey's General Stores, thank you so much for joining us on the RH-ISAC podcast, and thank you for being such an active and engaged member for -- and a great model for you, your team, and our other members as well.
Paul Suarez: You're welcome, Luke. It's my pleasure. [ Music ]
Luke Vander Linden: All right, we are now joined by Jackie Deloplaine from our Research and Outreach and Engagement with Members Department. I always get the name of that department wrong, but you are in charge of the RH-ISAC's working groups.
Jackie Deloplaine: Yes, I am the Cyber Intelligence Engagement Manager for the RH-ISAC, and I manage our nearly 20 working groups.
Luke Vander Linden: Excellent. Well, welcome to the podcast. It's your first time on. Well, well overdue for getting you on the podcast, so welcome to this, and by the way, you and I go back further than your employment here at the RH-ISAC. How long have you been here?
Jackie Deloplaine: So I've been here for about seven or eight months already. The time has flown.
Luke Vander Linden: The time has flown, but you and I met like six or nine months before that when you were at the Western PA Fusion Center and you wanted to partner with the RH-ISAC on behalf, I think, of some of your hospitality members. Is that right?
Jackie Deloplaine: Yeah, that's right. So we actually have a hotel working group in the city of Pittsburgh, and one of the top kind of complaints or concerns was, how can we talk to other members in the same field? And, of course, I reached out to you all because you're the experts in that, and yeah, it was just kind of funny, and then here I am.
Luke Vander Linden: And here you are. Well, we're the experts, not me, but we are the experts in that, which is great, and Pittsburgh's a great city, by the way. I've been to a couple of conferences there and great hotels, so you're lucky to live there. It's the Paris of Appalachia. Not many people know that. It's beautiful. Anyway, back to the point at hand. Tell us a little bit about what you do now that you are employed by the RH-ISAC and what our working groups are up to.
Jackie Deloplaine: Sure. So we have, like I said, 20 working groups, daily 20 working groups for our members to collaborate and focus on particular issues. We have domain-specific working groups, so that includes our dark web, our fraud, our identity and access management, incident response, operational technology, risk management, security awareness, third-party management, security awareness, and vulnerability management. So there will be a quiz later.
Luke Vander Linden: Impressive, by the way, that you have those all memorized.
Jackie Deloplaine: Oh, definitely all memorized. We also have our tool-based groups that focus on technology that's commonly used in security SACs, so we have a few of those, and then we also have some special interest groups that are unique to personal roles and responsibilities or even different industry sectors. So we have a VISO working group. We call them the "VISO Community Group." We have our CISO Community Group, and we even have one that -- for small cyber teams.
Luke Vander Linden: That's incredible. You know, depending on how a member finds us, they may label us as the source for cyberthreat intelligence or a place for their CISOs to interact with each other, but this is really an incredible number, over two dozen of these working groups that are spun up for different domains, either that traditionally are part of a cybersecurity department or sometimes are kind of adjacent to, as the definition of cybersecurity kind of creeps bigger and bigger, maybe not even reporting to the CISO.
Jackie Deloplaine: Yeah, you're absolutely right. I think it's so important for these groups to come together. A lot of them have the same job roles, the same job titles, so they're doing the same things in our organization and it's just a way for them to get together in one group and kind of talk about some of their concerns, best practices, lessons learned.
Luke Vander Linden: It's a great opportunity. What do members get out of participation in a working group?
Jackie Deloplaine: Sure. So most people don't know that our working groups are actually member-led, so our members determine the content, they present, they lead the discussions in these regularly-held meetings. Again, they work together, they're meeting each other, they're building relationships, they are getting that connection before they might need it. So I just had our working group meetings for planning 2024 and one of the things that our champion said to me was that, because of these working groups, he knows the other members so well that he could call them up or email them at any time of the day and say, "Hey, this is happening," or "What do you know about this?" And they work so well together because of that relationship built in these working groups.
Luke Vander Linden: Oh, that's incredible, because we are, after all, no matter whether we're talking about working groups or there's other sharing platforms, we create a trusted community and that kind of interaction is what builds a trusted community. So you reeled off the whole list, almost, I think, of all of our working groups. If there's a way to distill this looking back at the year 2023, what have been some of the trending topics discussed in those working groups?
Jackie Deloplaine: Sure. So some of our popular topics were OSINT techniques to prevent impersonation fraud. That's been a really big topic this year. BISO relationships with internal stakeholders. BISOs have such a unique role where they have to work with technical and non-technical people and they have suddenly different stakeholders, so how do you build those relationships? We talked a lot about password list authentication. I mean, you go to any of these security conferences and that's a topic that's on everyone's mind. We even had an incident response case study that was a TLP RED, right? So it was highly --
Luke Vander Linden: So say no more, yeah.
Jackie Deloplaine: Exactly. Highly attended, and then we had -- we had a meeting for Security Awareness Month for preparation, how people are planning for October, and then we also had a great discussion on Rackspace Zero Trust framework.
Luke Vander Linden: Wow, that's great. So touching on a lot of the topics that our members discuss everywhere, are there any presentations that particularly stood out to you?
Jackie Deloplaine: Oh, yeah, we had a really great presentation. This one incorporated our associate members and our member, so this presentation was on vulnerabilities disclosure programs and bug bounty programs. So we had a member who journeyed through the vulnerability disclosure program, which is typically like a first step, baby step getting to the bug bounty program, and they walked us through their journey, and it was great having the associate member on the call as well because, of course, they were the expert on that, so they were able to walk us through everything that they helped this member do, and we had such a good response because we have a lot of members who are in that same boat. They're wanting a program in how do they do it. LV: And I would imagine that's a common trend, is that we have lots of members who are in the same boat discussing every topic, and so no matter what it is, it's good for a member to raise it because chances are other members will be going through the same thing. So looking at the next year, as we are planning for 2024 in pretty much every single way, what do you have on tap? Sure. So I mentioned this before, I'm working with our working group champions. Our champions are just simply members who go above and beyond in our working groups. They're helping me plan out 2024, so we're looking at content, we're looking at what worked last year, what didn't work, how can we increase engagement. So we're going to talk about PCI 4.0 updates that BISOs need to know. We're going to talk about assessment methodologies, refund as a service, that's a really popular topic right now, bot attacks, credential stuffing, differentiating business risk and IT risk, sharing some impacts, best practices, and lessons learned from recent cybersecurity incidents. That's going to be a TLP RED, just as a heads-up for our members. It's going to be a good one. And then we're going to have some panel discussions on FIDO passkeys and identity governance. So we are looking to have a busy, busy year just like we did last year. We had, I want to say, 80-some meetings over 2023, so I'm looking to have a busy 2024 as well.
Luke Vander Linden: Excellent. Do you have any words of advice for our members when thinking about the working groups?
Jackie Deloplaine: Yeah, I mean, if you're not in a working group, you should be. I'm not saying that just as me being the manager of the working groups, but really there's a lot of value here. Where else do you get the opportunity to be in a room with, you know, 60, 80 people where you can ask for advice and get immediate feedback? Where else can you go and actually build relationships with members and see them face to face? Because we are virtual, we have the option for video, right? And you get to meet our other members. You get to know them before you need them. I think it's a wonderful opportunity. You know, there's that saying that says -- it says, "It takes a village." Well, we are that village and we have great members, so I just hope that you all get more involved in the working groups.
Luke Vander Linden: What an incredible resource and you're an incredible resource. Thanks for joining us, Jackie Deloplaine, and just a reminder to any members who are listening there, membership is unlimited, so you're not limited to the number of people that you can credential on our platforms or that could be members of these working groups. So spread the word internally, talk to your colleagues down the hall, or the virtual hall if you're remote, and get them involved. It's just a great opportunity, great resource to get connected. Jackie Deloplaine, thank you very much for joining us on the RH-ISAC podcast.
Jackie Deloplaine: Thank you so much. I listen to every podcast, so I'm really excited to be on. Thanks.
Luke Vander Linden: Someone has to. Thank you very much. [ Music ] Thank you to my two guests, Paul Suarez, CISO at Casey's, and Jackie Deloplaine, Manager of Cyber Intelligence Engagement at the RH-ISAC. If you're interested in any of the working groups she mentioned, let us know at support@RH-ISAC.org. As always, thank you to the production team who do their best to make us sound good. That's the RH-ISAC's Annie Chambliss, and from N2K Networks, Jennifer Eiben, Tre Hester, and Elliott Peltzman. And thanks to you for tuning in. Happy holidays, and stay safe out there. [ Music ]