Domino’s recipe for good enterprise cybersecurity
A good team and a proactive mindset are key for companies that want to respond in the event of a cybersecurity incident, says John Gift, director of information security at Domino’s Pizza.
Gift would know. Tasked with helping Target Corp. respond in the wake of its well-known data breach in 2013, Gift has used the lessons he’s learned from that high-profile incident to shape the way Domino’s deals with its security challenges.
Gift was drawn to Domino’s three years ago because of the company’s culture, including its supportive executives. He works out of the company’s Ann Arbor, Michigan headquarters, and reports directly to Domino’s Chief Information Security Officer.
The security team at Domino’s has grown to around 30, Gift said.
CyberScoop caught up with Gift at South By Southwest in Austin, just after he finished speaking on a panel dubbed “Welcome to the ‘Internet of Threats.’”
CyberScoop: What’s keeping you up at night? What security threats are you most concerned about?
Gift: I think right now it has to do with what you talk about when you refer to the “Internet of Things.” A lot of different devices are now connected.
When you think about that, it gives a cybercriminal a lot of different entry points. We do a really good job of protecting our endpoints at Domino’s, but what about the consumer endpoints?
One of the things that we’ve done a really good job on at Domino’s is you can pretty much order a pizza off of almost anything. Which is great. Domino’s is known more for an e-commerce company, and a technology company that happens to sell pizza.
But at the same time, all those different technology devices can be used for bad actions. And so that’s something that definitely keeps me up at night.
Remember we’re now the biggest pizza company across the world, so we’re not just thinking about it domestically. We’re now managing and protecting the brand and our consumers across the world.
CyberScoop: You must focus a lot on mobile security. Are people mostly ordering on their phones?
Gift: I’d say over 60 percent of Domino’s customer transactions are done online. We have a very targeted approach, and a lot of priorities are placed on managing mobile apps, making sure that they’re secure. Anything online we have a major focus on.
One of the key things you have to realize is Domino’s has a lot of franchisees in the United States, so we want to make sure that we’re also having them utilize products and services that are secure, that secure our customers and secure our brand.
CyberScoop: During the panel they talked a budget for cybersecurity. What have you experienced at Domino’s? Are you able to get all the money that you need? Are you able to go into the c-suite when you have questions?
Gift: When I was interviewing for the Domino’s position – I’m just going to be fully transparent – I had other offers, other organizations that I could’ve pursued, but one of the things that I really liked was the culture. And that included the executive support.
So our CEO Patrick Doyle is a huge proponent for information security. Our CIO Kevin Vasconi is also a huge proponent. Our CISO, Ethan Steiger, of course, a huge proponent. I have a fellow director who leads security operations now.
I can’t think of one time where we were not given the resources we needed to deal with a specific issue that we thought was a major threat, or something we needed to proactively respond to.
CyberScoop: What has hiring been like? Has that been difficult?
Gift: We’ve been kind of lucky. We’ve talked about how there’s a shortage of information security professionals out there, qualified and effective security professionals. A lot of people are interested in information security. They may not have that experience yet, they’re getting that experience.
One of the things that’s really helped us is a lot of people like Domino’s. They like the product, they like the innovation that’s happening. They like the culture.
Once you get into that building, you understand that it’s very collaborative, people really are willing to help, go above and beyond, and it’s something that I think’s really helped us, propel us to number one.
We really have a top talented team. People come in and you’re going to get some really good opportunities to grow, and people understand that.
So, is recruiting sometimes in Ann Arbor, Michigan, difficult? Definitely. But when you say “Domino’s,” people listen. It’s really helped us recruit some really good talent.
CyberScoop: You worked at Target at a really important time, during their response to their big breach. What was it like for you responding to that breach?
Gift: I was there for about three years, including eight months before the breach happened. I was selected by the executive team to lead the security operations center in the aftermath of the breach.
That was a really exhilarating, challenging, stressful experience. But I learned a lot along the way. It’s very different when you’re trained to respond to an incident of that nature and then when you actually have to respond to an incident of that nature.
One of the key things I always appreciated, was, yes, it was something where it was one of the most highly publicized breaches at the time, but the response, as well as the recovery, is one of those things people also talk about. And that had to do with a lot of the remediation work.
Juxtaposing that and switching, transitioning that to Domino’s I was able to take a lot of key lessons learned.
CyberScoop: What were some of those lessons?
Gift: One of the key things is proactivity starts with the things you can control.
You know an incident is going to occur, making sure that you have a key incident response plan that you follow, that you test, you’re doing things like red team/blue team exercises all the time, you’re doing things like penetration tests. All of the things that you could proactively do, whether it’s in regards to also bringing your cyber emergency response team and doing some key testing there, too.
So every six months we’ll create scenarios, and get the team together and go through that.
And Target did the same thing, but I think after the breach, it really influenced the industry to understand that you have to be doing that on a regular basis.
Talent is also very key. When those lights go on and you have to respond, it’s similar to …I’m not going to say a first responder or a police officer, because that’s life or death, but similar to when you’ve been trained for something and then you really have to go and respond to a critical situation.
Do you have the people that can really go ahead and do that, and really perform at a high level? Also, do they understand that it’s going to be a stressful time? That the investigation can last three-to-six months? How are you going to make sure there are shift models in place to make sure that the team doesn’t get too stressed out, and then the quality of the investigation goes down.
One of the good things that I really like about my boss, Ethan Steiger, is that when I first came in, we formed a strategy around a lot of those things. We were able to implement a three-to-five year plan to really focus on maturing and building a world-class security organization.
CyberScoop: What’s your go-to Domino’s Pizza order?
Gift: I like Pacific Veggie, I also like Hawaiian… I know a lot of people like the sandwiches. Really, that’s some of my favorites right now, with regards to trying the different sandwiches and the different pastas. I really like to get a diverse experience so sometimes I’ll order pizza, sometimes I’ll just go pick up a sandwich.
The following transcript has been edited for length and clarity.
