Connect with Us

Retail and Consumer ProductsEinzelhandel und Konsumgüter

IT is increasingly redefining relationships in retail, compelling companies to rethink almost every aspect of their operations and pushing them to come up with novel, innovative ways to accommodate customers. But as they wade deeper into the digital waters, retailers will need to look at the larger picture, contemplating a new set of interconnected risks and developing approaches to anticipate and manage those risks as well as capitalize on the opportunities they may bring while meeting increasing regulation and compliance requirements in the payment card industry.

Effective IT risk management for maintaining privacy and data protection requires the development of a detailed risk management plan to safeguard sensitive company and consumer data, especially in today’s evolving business landscape. Having the proper strategy in place can shift a retailer from a reactive posture to a proactive one and ensure that IT security control investments are properly supported, and balanced by the right systems, processes and people. Retail & consumer companies that take a more proactive approach to IT risk management can minimize security breaches and financial losses and protect their company’s reputation and core brand equity.

When risk management coordination is effective, the result is a seamless interplay of sense-and-respond activities that free up the organization to focus on the significant opportunities presented by the unfolding digital landscape.


What retailers are doing and are not doing to protect brand equity by maintaining consumer trust and confidence and how that confidence erosion affects consumer buying patterns.


How network architecture can make a difference in Point-of-Sale (PoS) malware propogation and sniping C2 (command and control) communications


2013 has been affectionately termed “the year of the retailer breach,” with comprehensive statistical data being returned that shows a sharp transition from geopolitical attacks to large-scale attacks on payment card systems. A fundamental shift is occurring where threats are shifting from geopolitical actors to two primary threats:

  • Financially-motivated attackers who seek out data that is easily converted to cash; and
  • Espionage groups who target internal corporate data and trade secrets.

Our client’s decision makers know the challenges facing the retail and wholesale sectors. From the effects of changes in demographics and lifestyle trends, to the impact of deflation, industry consolidation, constantly changing regulatory and compliance requirements, and globalization. Couple those changes with the exponential increase in number of cyber-attacks causing weak consumer sentiment, lower store traffic, and a subsequent Wall Street response in lower EPS guidance by retailers hit by data breaches. Our retail partners trust us for deep industry knowledge in enterprise risk management that combines an understanding of the operational risks, technology issues, and regulatory requirements they face on a daily basis.

Our clients include grocery chains, general merchandise stores, apparel retailers, convenience stores, drug chains, luxury retailers, restaurants, hotels, specialty retailers, distributors, and e-tailers. Our insights, knowledge, and experience gleaned from our retail practice’s industry focus helps our clients address their biggest challenges while seizing new technological advances that open up new opportunities and access to consumers.

We are transforming the global retail company who has created a false sense of security, perhaps even complacency, resulting from their investments in non-agile risk management tools aimed at protecting a perimeter no longer there and processes they have relied on for years.

Over the past two decades, Brier & Thorn’s consultants have completed numerous projects globally in the retail sector to help retailers tackle their toughest risk management and information security challenges.

Information security systems in the retail and consumer market are often designed to meet minimum levels of regulatory or industry compliance, rather than to identify the risks to the business and provide appropriate safeguards. As a consequence, many retailers address their cyber security threats reactively, adapting to threats as they are identified in a endless game of “whack-a-mole.”

As an alternative, we work with our clients to design an appropriate IT risk management program as one of many components of the retail company’s overall business risk environment that feeds into its broader enterprise risk management framework. Our clients treat IT risks like other serious business risk issues facing retailers as an inevitable cost of doing business in today’s global digital marketplace.

How We Help

Our consultants work with clients to help the executive leadership team and IT leaders anticipate, create, and manage change – translating it into true value for the business by:

  • Identifying desired operational efficiencies and help IT security implement the necessary key performance indicators
  • Streamline company value chains to better leverage business process data securely and enable more rapid decision-making
  • Addressing the retail company’s unique risks by finding sensitive data, determining who has access to it, understanding threats, removing it from high-risk uses, and building protections for today’s business model
  • Developing and implementing a detailed data security plan
  • Testing, monitoring, and updating IT security controls
  • Providing guidance on how the IT function can be better prepared to respond to business crises, such as identity theft and theft of cardholder data, and prevent or mitigate future occurrences


In our approach with our global retail clients, we help answer:

  • If an IT risk assessment has been performed that identifies our client’s key business risks;
  • Where to invest IT security dollars to reduce the risks affecting their key lines of revenue, business processes, and assets;
  • What does a disruption to the business from a cyber attack look like and how would it affect the business, brand, and reputation;
  • What revenue would be lost if the business processes were impacted by a cyber attack;
  • What are the most critical business assets and what is their value to specific adversaries;
  • What is the valuation of those assets and business processes through the lens of the various threat actors;
  • What incident handling and response capability exists that will help our client quickly react to a cyber attack;
  • How will our client establish an IT risk tolerance;
  • How will our client communicate IT risk to the board and other stakeholders; and
  • If a cyber attack would pose an existential threat to the business.

Our consultants will develop an executive leadership team capability responsible for leading the transformation from the status quo of today’s security program to one of a small but important part of a much broader enterprise risk management plan.

To avoid potential damage to a retailers bottom line, reputation, brand, and intellectual property, the executive leadership team will be groomed to take ownership of IT risk. Specifically, the collaboration up front of understanding how the company will defend against and respond to IT risks, and what it will take to make them resilient to those threats and threat scenarios.

To make this adjustment, our clients are transforming their organizations from ones centered on security and technology to one that combines these with business management, risk disciplines, and risk management. Therefore, our engagements begin with a transformation of the executive leadership team to also take the lead in setting the proper tone and structure for its enterprise risk management program. Our C-suite clients recognize the importance and nature of mitigating cyber risk as a necessary and fundamental part of the retail company’s ongoing success. It ensures that an IT risk management program designed by our firm is in place to manage IT risks that reduces potential harm to their business, brand, and consumer confidence.

Management of these IT risks is directed from business-operations leadership at every level that can commit and command the resources required to address and respond to these challenges in an enterprise playbook designed, built, tested, and implemented by our firm.

How We Do It

This simple 6-step plan, distinctive to our firm lays out:

  • Established IT risk governance that establishes a governance framework for managing the company’s IT risks by deciding who will be on each of the teams, sets up operating processes and a reporting structure, and connects risk programs such as disaster recovery, business continuity, and crisis management.
  • Understanding of IT organizational boundaries by identifying the company’s IT vulnerabilities which extend to all locations where consumer cardholder data and personally identifiable information is stored, transmitted, and accessed.
  • Identification of critical business processes and assets that determines what comprises our clients’ most valuable revenue streams, business processes, assets, and facilities.
  • Identification of threats that creates an effective IT risk monitoring environment that focuses on building a sustainable and resilient approach to putting intelligence inputs from various teams under a common risk lens to quickly identify, correlate, and respond to threats in real time. Our retail clients establish a robust threat-analysis capability built on shared intelligence, data, and research from our Security Operations Centers and external sources that effectively analyzes threat context in its entirety.
  • Improvement of collection, analysis, and reporting of information that our retail clients are provided as part of our managed security services, which implements robust cyber and technical threat intelligence capabilities. These are: collection and management, processing and analyzing, and reporting and action.
  • Planning and Response actions through a formal design and implementation of prepared responses – playbooks – which are a necessary step in adequately planning and preparing responses to cyber events. Using the intelligence gathered throughout the playbook development process, each playbook says who should take action, what their responsibilities are, and exactly what they should do. Executive leadership will frequently revisit our firm’s cyber intelligence gathering techniques, leverage and update cyber insurance options, and upgrade IT security controls.

Client ResultKundenergebnisse

We share our clients’ ambitions working to understand their reality and deliver true results – focusing on strategic decisions and practical actions. We align our incentives with our clients’ objectives so they know we’re in this together as a closely-held partnership.

How a global sports apparel company addressed enterprise risk with Brier & Thorn

Foot Locker’s executive leadership team considers consumer confidence of its customers and its own brand equity paramount to its business. Learn how Foot Locker addressed the risk to its global attack surface through the help of Brier & Thorn’s threat management services.

Nationwide distributor of bottle and packaging for consumer products gets ahead of the threat with Brier & Thorn

SKS Bottle and Packaging gets ahead of the threat rather than reacting to it with creation of new IT risk management plan, managed services, and new secure network architecture.