Ulta Beauty CISO discusses compliance challenges

As new technologies continue to develop, combined with increasing data privacy and security regulations, cybersecurity must keep pace to maintain compliance, consumer trust, and ultimately keep your organization out of the headlines. Diane Brown, CISO at Ulta Beauty, discusses how to navigate cloud migration, ever-changing compliance requirements, and shift your teams’ culture.

Continuous compliance

Data privacy and security regulations and laws continue to spin up almost as quickly as new cloud projects. A recent example in the US is the California Consumer Privacy Act, which caused Brown’s team to quickly pivot and change their data security approach, including the execution of a full data discovery exercise. Brown considered the data deep dive a key enabler to creating a rock-solid security strategy that has kept her company out of the news. Seeing how your data is stored, where it moves, and how its shared, allows you to see the entire picture and tailor your security strategy accordingly. Also, with a full understanding of your organization’s data, you can quickly adapt to future compliance requirements that pop up.

Digital transformation and the cloud

Brown’s cloud journey began three years ago, when cloud security experts were hard to come by. Since then, she has added many cloud security “rock stars” to her team to manage ongoing the cloud journey. Having knowledgeable, certified staff is a major key to a smooth migration, but this may not be realistic for everyone due to the growing skills shortage. In place of hiring your own cloud-savvy team, Brown recommends looking for expert managed service providers who excel in cloud security and key challenge areas like detection and response.

Changing the mindset

As a cybersecurity leader, you and your team may be very familiar with using the word “no.” But, in this era of accelerated digital transformation, changing your teams’ mindset is critical to becoming a business enabler, instead of a business blocker. This starts with bridging the gap between development and security teams for more collaboration and deeper empathy with their business challenges. As developers continue to leverage new tools to drive innovation, empower your security teams to consider themselves partners in this process. By seeing themselves as a powerful component of innovation, security teams may become more open-minded to new challenges.


Hernan Armbruster: Hello again for those who just join us, my name is Hernan Armbruster. I’m the senior vice president for the Americas region. Now I have the great opportunity to be with Diane, a successful CISO at Ulta Beauty. Hello, Diane. How are you doing?

Diane Brown: I’m doing great. Thank you so very much for having me on the stage with you.

Hernan: Thank you. Thank you. I would like to start asking you to share with us first a little bit more about you, your organization, and specifically some of the challenges that you are facing in your role as the CISO of one of the largest retailers in the United States.

Diane: I just had my 13-year anniversary with Ulta Beauty in April and it was really exciting. It’s just amazing to see the growth this company has had since I joined, when I first joined, there was about 250 stores, and now we’re close to 1300 stores in all 50 states. So, from that perspective, it’s really been an interesting journey for me. And today I have the honor and the privilege to lead the IT risk management team at Ulta Beauty.

This group of people that I have… I call them all my rock stars because they just work so hard and they’re so passionate about what they do. We cover everything from cybersecurity., identity access management, vulnerability management, compliance for SOC, PCI, and all the wonderful state privacy regulations all for data privacy… We do data protection and data privacy, application security, and the newest one on our plate is the cloud.

Hernan: Oh wow.

Diane: We just do a couple of things every day. One of the challenges that we have today… We’re striving for our team to become more of a business enabler instead of a blocker to the digital transformation. We’re doing that, but we still have the responsibility to ensure that we’re protecting our data and our systems.

I’m trying to get everyone on the team to understand that we can’t always be a group that says “no”, because then people don’t want to come and talk to you and getting people to change that mindset has been one of the challenges, as the CISO, that I’ve faced… Trying to get my team to say, you know, well, maybe let’s think about it this way. Getting that mindset change has really been interesting for us.

Also, the cloud, as we’re all moving to the cloud, as security professionals, we know that it’s really nice to say you’re going to the cloud depending upon what type of cloud you’re going to. But, as you go into that public cloud sector, if you don’t have people already on your team that have a good understanding of what the cloud is, it’s really a daunting experience for them to try to figure it out because they’re used to working in a certain manner because that’s how technology has been for decades. You know, you had your on-premise systems and you have control. You can touch them, you can feel them. And now with the cloud, trying to get yourself up to speed on that quickly, because as you know, the business is moving very quickly and people are moving very quickly to the cloud.

Also trying to find ways to take on that extra workload because the cloud isn’t the same as on-premise system, because the tools aren’t all going to work the same and it’s learning the new tools and trying to find people that will step up and take that responsibility. You have people who are already have full plates and you say here, now here’s this cloud thing and you’re just going to love it.

It’s been a great journey for us. We have some fantastic people on our team now that I’ve embraced it and they’ve gotten their certification. I think that’s one of the biggest thing is how do you continue to get people and empower your people to move forward, take on these challenges, without worrying about them leaving because they see it as just more and more every day.

Hernan: You talked about moving the business, right? Moving the business fast. So, next question that I have for you is about digital transformation that had a significant acceleration in over the past year. Right? So, what specifically does digital transformation mean to you and to your business?

Diane: That’s very interesting because we’re actually working on our vision statement for our IT department right now, and one of the questions that came to us is what does digital transformation really mean?

It’s interesting what it means to different people and from our perspective, it’s being that in that business enabler in order to bring new experiences to our guests and our associates. That’s kind of where we’re trying to make sure that we know we’re focusing on.

One of the big ones that we’re working on today is transforming our website. Right now they’re looking to do that via more than microservices, which is one of those new technologies we’re talking about with containers and Kubernetes containers and all these different things. We’re doing this in an effort to underscore our commitment to being an industry leader and being a powerful purpose innovation to meet our guests needs and wants. That’s how the business sees it. From our perspective, it’s how do we then as their security partner, help them get there.

The good thing about cloud is the ability to spin up projects very quickly. The bad thing about cloud is the ability to spin up projects very quickly. Our biggest challenge when it comes to the cloud has come around the access management and securing the network side of it. The cloud environments are not, like I said, once again, going back to your data centers that you have, that traditionally people are used to the cloud isn’t like that. For us, it’s learning what is involved in this and what does identity management mean now in the cloud. Before, you just simply added a user to a local administrator group to give them the permissions they need, but it’s much more complicated then it can be there. And trying to get up to speed as quickly as projects are spinning up, can be really frustrating for your teams and trying to, you know, be empathetic to them and understanding where they’re coming from. But still, ultimately, you’re trying to meet your business’s needs and do it as quickly as it’s always been has been very interesting for us.

As I said, the other thing is that I learned, since we started our journey about three years ago is the fact that there really weren’t a lot of secure cloud security experts three years ago. You’re kind of on your own. That was probably the biggest challenge and to actually get people going and get this all moving. Fortunately over the past three years that has grown so much. So that’s the one thing I would tell people, if you’re going down this journey and you’re new on this journey, reach out to people and get your teams some help. If you don’t have those cloud experts on staff, because that is going to make your journey so much more successful and also make you that business enabler instead of the team that always says no.

Hernan: Earlier today, we discussed risk and compliance. I believe that this is a very relevant topic considering your industry. What are the key initiatives or projects around risk and compliance?

Diane: Probably the biggest one for us right now is, really last year with the California Consumer Privacy Act from a regulation perspective, is a new one. We are a publicly traded company that takes credit cards, so therefore SOC and PCI compliance has been in our landscape for a very long time.

One of the reasons that that’s not key for me right now, as far as PCI goes is, if you remember back many years ago here, it seems like just yesterday where all the retailers were having their data breaches around the holidays, we had actually implemented tokenization right before that all happened. From a CISO perspective, I just breathe a sigh of relief every time one of those things hit the news, because in our position, when that happens, your senior executives reach out to you, your board reaches out to you and they’re like, well, what about us? What about us? And being able to sit there and say: hey, we tokenized our credit cards. We are solid. We know we don’t have to worry about it. That really helped from me from a PCI regulations perspective and not having that.

But the next thing that comes along, there’s always something new coming along. And for us, it was California Consumer Privacy Act. I guess we are not an international company and therefore, when GDPR hit, we didn’t have to go and meet those obligations of GDPR, but not long after that, you know, the CCPA hit and we had to pivot really quickly, get the teams together and drive that to conclusion. It was a very interesting experience. So, as a leader of the IT risk management organization, I think one of the great benefits that came from that is that you have to do a full data discovery of your environment.

They always say you can’t protect what you don’t know is there. It was so insightful for us just find out how our business is actually using the data, because in IT, we always have one perspective, we think, okay, it just sits there. They run a couple of reports and we’re good. Then you find out they share it with this partner and this vendor and how they’re doing it. It really opens your eyes to say “wow”, it’s just interesting. We learn so much about our business in a very short period of time. To me that was worth its weight in gold from a learning perspective. It was a blessing in disguise because of that now we have a rock-solid solution in place.

As you know, I think Virginia is actually spinning up the laws this year and I know Hawaii is not very far behind them. So, from our, you know, for us having a solution in place, once again, that was a digital transformation for us. We went from having to figure out how are we going to do this with technology? Because it’s too manually intensive to try to do it any other way. It was actually a good experience and we learned a lot, we gained a lot of business partners along the way, and that is, I think, the key focus right now… Is all around the data protection and data privacy.

Hernan: This has been fantastic… All your sharing. Thank you so much. On behalf of the big Trend Micro family, we thank you so much for taking the time, sharing your knowledge, your experience with so many colleagues in this event for us. Thank you very much, Diane.

Diane: Hernan, it was my pleasure. I am very passionate about this topic, as you can tell. It’s due to the fact that I, like I said, we have so many rock stars on our team and it’s just so great that people are so passionate about their jobs and what they’re doing. Without that passion it would make my job as a CISO so much harder. Kudos to everyone on my team for all the hard work they put into it and making my life much easier. And I saw it in our digital transformation journey also. I mean, they’re helping us down that journey and without them, we wouldn’t see where we’re at today.

Hernan: Congratulations. Congratulations for that.

Read More HERE