Kontoor Brands: Fashioning a new cybersecurity program

On a mission to grow through innovative design and sustainable performance to excite more consumers, Kontoor Brands is made up of iconic names such as Wrangler and Lee jeans.

The global clothing company is a spin-off from parent company VF Corporation, becoming its own entity in 2019. While it may be a publicly-traded retail company with a primary focus on fashion, it faces the same cybersecurity challenges that many of its peers in the retail industry face.  

“My role within the company’s mission, of growing to meet consumer needs, is to ensure that I'm keeping up with the innovation and identifying the cyber risks associated with that, as well as helping drive solutions that enable the business to achieve its mission,” said John Scrimsher, Chief Information Security Officer (CISO) at Kontoor Brands. 

Scrimsher explained how he works closely with the Retail & Hospitality Information Sharing and Analysis Centre (RH-ISAC). ISACs are non-profit organisations that provide a central resource for gathering information on cyber threats (which, in many cases, are to critical infrastructure), as well as allow two-way sharing of information between their members about incidents, threats, and their root causes. In addition, these organisations offer a platform to share a wealth of experience, knowledge and analysis relating to cyber threats. 

“Throughout the industry, we see challenges such as phishing and business email compromise (BEC) remaining top items of concern. Fraudulent activity is another issue, whether it's domain fraud – where people squat on domains and look for new ways to exploit those – selling counterfeit products, or using it as a phishing leverage to make the employees or customers think that they're getting an email from us,” he added.

Building a cybersecurity program for the future 

Scrimsher started at the company in 2019 and was employed as the first cybersecurity team member, allowing him to build the rest of the team from the ground up. The forward-looking program is focused on ensuring visibility to all data processing systems and devices. It also understands the need to have a strong asset discovery and management program for manufacturing, edge devices and all areas of the business.

He explained some of the major principles that he follows when building a program: 

1. Making it user focused, keeping it simple – “Complexity is the enemy of security; the more complex we make any solution, the more likely people are to seek out ways around it.” 
2. Measurable visibility – It is important to be able to measure that the program has the level of visibility necessary to protect the environment and to increase that visibility where necessary. 
3. It can withstand scrutiny – A good cybersecurity program should be able to stand the test of time.
4. ‘All means all’ – When referring to implementing security methods such as multifactor authentication across all users, all means all. Granting any exception is a potential hole for bad actors to exploit.

Following those principles, Scrimsher has been able to build a program that covers all the areas of cybersecurity from vulnerability management, third-party risk management, identity management and also governance, risk, and compliance. 

“We're not going to try to adapt something that may have elements that don't quite fit with what we're trying to do. So, the way I describe it is that my goal is to build a security program for 2025, not adopt and adapt from 1995,” he added. 

Dealing with third-party risk

When the world went into lockdown in 2020 – a state that many countries went in and out of intermittently throughout 2021, too – the global fashion industry faced exceptionally challenging conditions. As well as greater scrutiny on sustainable practices and a larger volume of orders to fulfill in a time of almost stationary supply chains, the increase in online shopping created a larger threat landscape to be exploited by bad actors. 

Being a forward-looking company that was established just one year prior to the global COVID-19 pandemic, Kontoor had started out planning for the future. This enabled its employees to move quickly to remote working once the pandemic hit, allowing the company to successfully operate its eCommerce platforms.

Supply chains have also been a big issue in the cyber security industry, as any difficulties or delays with these can completely shut down business operations and lead to various damages. Scrimsher explained, “One thing we always do is look at the risk levels of the supply chain and, and just like every other company we do face the same risks around supply chain disruptions.” 

71% of organisations report that their third-party network contains more vendors now than three years ago. When it comes to advancing business goals, this evolving business environment demands new approaches to third-party risk management that account for the changes in organisations’ reliance on third parties. 

Scrimsher is currently chairing the Third Party Risk Management Working Group with the RH-ISAC, collaborating with approximately 30 other companies on defining a set of industry standards that they can implement for all of the third parties and the requirements to attain them.

“It's everything – how do we determine what type of data we share with them? How do we determine what level of network connectivity we provide to them? How do we ensure that, when they have connectivity, we can track their identities to ensure we know who is accessing our systems or our data? So we work very closely with other retail companies that we would typically consider competitors, but in the cybersecurity world, we're all partners.

“We're all out there trying to help each other protect our customers and our data through setting and maintaining global standards for all of our vendors. That way, our supply chain providers – whether they're software supply chain or product supply chain – all know what to expect, and they can start building their systems to be as secure as the industry is looking for,” explained Scrimsher. 

Organisations that suffered a data breach while they had AI technology fully deployed saved an average of US$3.58mn in 2020. One way in which Kontoor reduces risk of a data breach is to continuously assess the business and identify trends such as the former. 

“As we look to the future, there's always discussions around AI technologies and the metaverse and things like that. It's keeping up with those conversations, making sure we know what types of data are going to be involved, what the risk levels are of that data and then driving the program based on that.” 

Keeping emails secure through cyber partnerships

The increase in digital transformation has meant more people are connected, and also a move to more people working remotely, partially due to the global pandemic. This change in environment has led to a rise in cyber security issues, for example the high volume and sophistication of advanced email attacks has caused significant cybercrime losses, with business email compromise losses alone amounting to nearly US$2.4bn in 2021.

Kontoor utilises best-in-class partners to help keep the organisation’s emails safe.

“We treat our cyber security vendors as partners.. This is very important for security because that helps them understand your needs better. We need to work with them on a daily basis to ensure that we understand the threats and that they understand our business needs, so that we can implement it as effectively as possible,” says Scrimsher. 

Since implementing tools provided by cyber security partners, such as Abnormal Security, instead of having hundreds of users reporting phishing or attempts at fraud, Kontoor has seen its numbers drop down to single digits – because its partners are catching it before the users ever see it.

This has greatly helped the clothing company in reducing the user workload volume, allowing them to become more efficient and do their jobs, whether it's marketing, sales, design, according to Scrimsher.  

Facing the unknown challenges

Reflecting on the past 12 months, Scrimsher explained how one of the biggest improvements has been his team's ability to detect and respond to threats. “Having a team that's able to constantly learn, keep up with the trends and be able to protect our company is, I would say, probably one of my proudest accomplishments.” 

As the threat landscape continues to grow, so do the challenges that face cyber security teams. Businesses are adopting new technologies and solutions, adapting in the face of adversity as they continue to navigate the new challenges. Although these technologies will ultimately lead to strength and innovation in organisations around the world, they can also create new risks and vulnerabilities that can be exploited.

“I would say that technology hasn't really changed the industry, but that the industry is definitely driving the need for new technology. Whether it's automation, better identification, or the machine learning and AI capabilities to better identify the threats. Those are all being developed in response to the needs of the industry.” 

New technologies such as the metaverse are causing some concerns about privacy and data security. As everything is built virtually in the metaverse, cyber criminals have plenty of options to hack the data and misuse it for their personal gains. Scrimsher explained how one of the biggest challenges of working in cyber security is that they never know what the next challenge will be. 

“That’s the security world, there's always a new type of threat that comes up. In the next 12 months, I expect some of the biggest challenges to be really around privacy and deep fakes. As we start moving into the metaverse and AI usage grows, I think it's going to be a challenge for us to really figure out the right way to address that and ensure that we're protecting our users from fraud and other threats.”