Most people have probably broken their new year’s resolutions by now, but here’s one I plan to stick with: resetting my passwords and rethinking the strategy behind password management solutions. 

Here’s why. If you work in information security, you already know how severe the LastPass breach of security, announced in late December 2022, was. By at least one account in Wired, the LastPass hack was “actually a massive and concerning data breach that exposed encrypted password vaults—the crown jewels of any password manager—along with other user data.”  

The big problem for users is that, as Wired points out, changing the LastPass master password that protects the vault data won’t be able to protect the data that has already been stolen. And that’s a big issue.  

Over the past decade, we relied on LastPass (or alternatives like 1Password, or Apple’s iCloud Keychain) to keep our critical passwords accessible – and more importantly – safe. We were relieved that we could have the convenience of an automated solution that could also keep our passwords protected in an encrypted format. We assumed the security measures were foolproof. But with this latest LastPass breach, it’s time to rethink the password strategy.  

Password resolutions 

It’s a new year, so why not make a fresh start with your password security? Update and refresh your passwords, regardless of whether you think you’ve been compromised or have a chance of being compromised. This is critical, even if you don’t leverage a password manager, relying instead on a sheet of paper or dozens of sticky notes.  

With this latest breach and those earlier in 2022, it’s more than likely that your employees have at least one or more of their passwords sitting out there exposed in the wild. And it doesn’t matter whether you point the finger at LastPass or something else. If somebody has had a password that’s been live for more than a year, they’re probably putting themselves and the company at risk. 

It’s also time to rethink your use of password managers. Do you want to place that much trust with all your passwords in the hands of one vendor? There may have been a time about 5-7 years ago when it was super convenient and safer to use password managers. But the LastPass breach proved that even the most convenient and secure ‘foolproof systems’ have flaws and can be hacked as well.   

Managing employee access 

Taking it a step further, make it a point to do continuous employee training to help your teams avoid being duped by phishing and malware tactics. User behavior in organizations has proven over and over to be a significant vulnerability for organizations, often leading to exposed credentials. 

At least two studies on data breaches during 2022 found that employee errors or mistakes caused either 88% or 95% of data breaches. You choose which number you believe. In any case, that is too high of a percentage to ignore, and it’s likely going to grow unless organizations rethink how they provide and manage access to their critical systems. More often than not, too many employees have access to things that they don’t really need.   

What about cloud security? 

Organizations must also better understand who can access corporate assets in the cloud. In theory, cloud security should be stronger as some of the very best enterprise organizations manage it. But breaches can occur, even within those organizations, like one did in May 2022 at AWS.  

In your cloud environment, access monitoring should also be a priority. Managing permissions and levels of permission can get complicated with revolving contractors and provisioning issues, and potentially hundreds of layers of functionality, each with its own layer of permissioning. Limiting access is important not just for improved security, but also for cost reduction. Why pay for access for people who don’t need it or shouldn’t have it? 

Among my portfolio companies is an enterprise security company that’s helping to refine exactly how to automate access management for cloud environments and SaaS applications. Their MO is all about determining which employees or contractors have access to which systems and projects; and enabling the continuous provisioning and management of these. The solution can quickly prune employees who are no longer employees or contractors who are no longer on the project, which improves security and drives down costs. This is all done while ensuring that users only have the access they need to do their jobs. I’m confident that efforts in this direction will become more commonplace moving forward.  

Beyond limiting access, reducing human error will also lessen opportunities for a cybersecurity attack on your organization. This requires continuous training around phishing, password cycling, and web surfing behavior, among other topics. Taking these proactive precautions within your organization can reduce human mistakes leading to cybersecurity data breaches.  

Consolidation driving progress 

While it appeared that 2022 was going to have a pretty weak showing when it came to growth rounds and exits for cybersecurity firms, a late investment surge in Q4 led to a better-than-expected investment scenario, according to Momentum Cyber research.  

The year ahead could see consolidation among firms in cybersecurity and data management. As financial markets start to recover and larger companies gain more confidence, they may be more inclined to buy the advanced technology that the startup world provides, likely at lower multiples than what may have been previously achievable a few months ago. And with market consolidation, CISOs may see some relief as one-off relationships get tucked into one of the larger providers. This would be good for the startup world, and more so for security execs looking to drive down the number of vendor relationships to manage. 

The year ahead looks promising. By taking a proactive stance to resetting passwords, rethinking password management strategies, improving employee cybersecurity savvy, and limiting who has access to what and when – you may just be able to better safeguard against some of the nefarious attacks 2023 might have in store for us.   

Password Managers, Passwords, Security

Based in Pittsburgh and privately owned, grocery chain Giant Eagle, with 34,000 employees across 570 locations, raced to deliver new digital experiences and buying capabilities for their customers during those intensely challenging early months of the pandemic. And it’s during that time when Ball joined, in June 2020.

“The pandemic certainly accelerated the growth and adoption of buying online, and that certainly caused us to accelerate the landscape and breadth of the offering we have,” he says. “We had to mature that offering very quickly to handle the scale and scope of demand, and the ability to personalize the digital interaction with households and customers.”

With annual revenues of around $11 billion, Giant Eagle also decided to disband their corporate office—not temporarily but permanently. So it’s a completely virtual enterprise, and all efforts were made to maintain the close-knit culture Giant Eagle had, as well as transform the culture to one that’s more proactive and assertively aligned with business partners.

“We worked really hard as a technology group to walk a mile in our business partners’ shoes, and understand what kind of objectives each is trying to accomplish in their particular area of responsibility,” he says. “We are here to help you be successful, and that’s gone a long way in deepening relationships where they support and help us to be successful and vice versa. They know we are there to do that with them.”

Kirk Ball, EVP and CIO at Giant Eagle

Giant Eagle

Another evolving priority is their ability to effectively manage data and create an analytics platform that provides insights into the stories the data is telling, and, in turn, reveal those stories to decision makers across different functions in the business.

“We give them more opportunity to peer around the corner as how trends evolve in their particular area so they can either do a course correction or accelerate in a particular way, whether that’s in growth of a category of sales or driving some efficiency in terms of our supply chain,” he says. “That analytics platform is consistently growing in importance.”

CIO Leadership Live host Maryfran Johnson, recently spoke with Ball about effective digital retail strategies, aligning with the CEO and optimizing the customer experience. Watch the full video below for more insights.

On the CEO as an enabler: I haven’t worked with other CEOs across the grocery retail landscape, but as the CEO, [Laura Karet] is incredibly brilliant. She is very curious and takes a genuine interest in technology. Whether it’s the ability to personalize a customer’s experience, create a very rich loyalty program to interact with customers, use technology to drive efficiency and effectiveness for our team members, or her analytic capability, she recognizes that technology is a competitive differentiator in the industry we’re in. It’s awesome to work with somebody like that. She and the whole executive leadership team have been big supporters in investing in technology so we can create competitive differentiation in the marketplace.

On IT talent: When I got here, I recognized we had a lot of very capable people. In many cases, though, they needed a bit more support, encouragement and empowerment. The pandemic, I think, helped us realize that all of our team members in North America remained very productive, or even gained a bit of productivity, as we went to a completely remote work situation. I think that helped open the mindset of the organization to say whether you’re in Pittsburgh, Cincinnati or anywhere, let’s continue to try and expand the areas in which we search for talent. We then started a journey to open a global capability center in Bangalore, India because we recognized there’s a wealth of talent there. Now we have up to 125 team members over there, but we’re searching for more. We’ll still have a rich, robust presence in North America but this allows us to create a global technology team. It exposes different cultures and approaches to technology. I think that enriches the capability of the whole team.

On emerging tech trends: One thing I have a high degree of interest in, and I think we are curious about in our organization, is augmented reality; virtual reality may be a little bit further out. I think something like up to 95% of business for grocers occurs in a store setting. That implies there’s a lot of opportunity to continue enriching the experience. So how do you animate inanimate objects in a store to create a deeply immersive experience for customers as they come into that store? That ability to bring additional information about product on shelf to life is added promotional information. I can tell you where the source was from, how long an item has been on shelf, some things you can do with this product you may not know about, and so on. That ability to augment reality is quite interesting. Once we figure out ways to maybe have contact lenses or glasses that could see that virtual reality and make it a hands-free experience, I think there is something to that.

On data analytics: The first thing we’ve done is put up a master data management capability. What that’s resulted in, for example, is we no longer have people in a meeting with different reports than others on the same topic, who then spend time arguing because there isn’t a master system of record for that particular data object. We’re also giving people introspection into various sets of data, the way the business operates, so they don’t have to take one set of data. The way the business runs is you have to look at all of those sets of information together to make a collective understanding. Do you have the right product in the right location at the right price, creating the right margin? Putting data objects together the way that the business runs has been very impactful for our business partners to better understand item and product margin, how products are moving through a particular store, and if we have the right products in the right store to match the taste and preferences of that local community.

On leadership: I was always big about frequently walking around and stopping by peoples’ cubes and being informal. And I guess you take that for granted a little bit. I realized, as we got into the virtual world, just how important it is for that frequency of communication when you can’t do it in person. But it’s still important. So I meet with those that I work with directly three times a week, and the leadership team once a week. I also meet with the whole enterprise group once every three weeks. So there’s a frequency of communication because it’s important for those you work with to be noticed, recognized, and listened to. The whole experience with our global capability center has just reinforced that. It’s very important for people to have their ideas heard, and to be able to contribute to the development of the strategy so it becomes their strategy, not my strategy. There’s so much power in that. People buy in and they get energized when they have a chance to contribute like that.

Analytics, Augmented Reality, CIO, Digital Transformation, Employee Experience, IT Leadership, Retail Industry, Virtual Reality