The retail paradox

In the IT world, the retail industry is not widely regarded as a cutting-edge place to work. Margins are notoriously slim, which means investment in experimental technologies is frowned upon. At most companies in the retail industry, you have to be quite sure of the ROI when you pitch a new project.

Of course, there are exceptions. Nonetheless, I stand by my generalization. The reason PCI Data Security Standard exists is that too many retailers were unwilling to spend the money for good infosecurity. A friend who did IT work at a major retailer wasn’t surprised at all when that company suffered a notorious data breach, saying the company seemed to think of any technology more advanced than dial-up Internet access as a wasteful extravagance.

So it’s funny that retail is leading the pack in an important way. Retailers get the idea of using security systems as business intelligence sensors.

Former CSO Executive Editor Scott Berinato chronicled early developments in retail video intelligence back in January 2005 (it’s quite a prescient piece). Even back then, retailers were starting to use security systems to look at things like how store layout affected foot traffic and sales.

In this Editor’s Letter space in April 2007, I wrote about the age of analytics, noting that we’ve entered an era with enough cheap computing horsepower and advanced analytical capabilities to not only improve security but also its ROI.

Then in June of last year I wrote about Next stop for security: Business intelligence and business services, again emphasizing the use of security systems, expertise and processes to serve the greater organizational goals in new ways.

The fact that retail has helped lead the charge in this respect was crystallized again for me at two recent events. Roland Cloutier made the point from the stage at our Security Standard event in September--mind you, this is a CSO with experience at companies in both high tech and the financial industries. And again retail came up as the flag-bearer in several conversations I had at the ASIS show in Dallas last month--one with video storage provider Pivot3 (very interesting), and the other with Cisco, which, to my eye, looks to have fully integrated its 2006 acquisition of SyPixx with its compelling “Smart+Connected Communities” program.

So hats off to our colleagues in the retail industry. On the traditional corporate-physical security side, they’ve taken their industry’s laser-like focus on pinching pennies and made the most of its virtues, demonstrating in concrete ways that security is a business function and an enabler of business goals.

Now about PCI compliance…