Grailcast

Ep. 05

Steve Zalewski,

Deputy CISO at Levi Strauss & Co.

Nov 10, 2020

Steve shares how trust with customers enables Levi's to sell more jeans and his advice for security professionals looking to deliver value to their business.

Text Transcription

Daniel Barber  0:15  

Welcome to the GrailCast. Today, if we think about iconic brands, there really is no more iconic brand than Levi’s founded in 1853. And I have to say, I may be wearing a pair of fiber ones today. So we’re thrilled to welcome Steve Zalewski, deputy CISO at Levi’s. Welcome, Steve.

 

Steve Zalewski  0:38  

Thank you, Daniel. Pleasure to be here today.

 

Daniel Barber  0:40  

Awesome. Well, yeah, We’ve had a few great conversations over the last few months and a great one last week just talking about you know, your background and how you think about privacy and all things Levi’s, do you want to give us a little bit of an intro and get us started?

 

Steve Zalewski  0:56  

So for all the folks out there. My name is Steve Zalewski. As Daniel said, I am currently deputy CISO at Levi Strauss. I’ve been here a little over five years. So I joined about five years ago, when Levi’s decided to create a information security group we got into ecommerce. And so I’ve spent the last five years as one of the senior members of the team building out an information security and data privacy capability in the company. 

 

A little bit about Levi’s for people that know we have wholesale, so we sell into stores, we have retail, we have 1000s of stores around the world international company, and then we have ecommerce around the world. So over the years, we have grown from 100% wholesale to where we are today, which is 40%, retail, 40%, ecommerce, 20%, wholesale. So as you can see, customer data privacy, obviously is a big issue for us in order to be able to sustain a $6 billion revenue stream coming from those avenues of revenue.

 

Daniel Barber  2:05  

Awesome. Through your experience, I’m sure you saw, you know, the ever changing landscape, right, even in the last 72 hours, we’ve seen changes again with the CPRA. But you know, as you looked at the GDPR, which was sort of the first piece of regulation that went into effect in 2018, what did you observe as you went through that process? And how do you think about that for Levi’s?

 

Steve Zalewski  2:28  

I will say there are two distinct ways of thinking about them that we approach to them. The first is where many people look at it as which is what what happened with GDPR is we were given a compliance mandate by Europe to be able to protect consumer data. 

 

And it was pretty stringent. But what it meant was, we had to be prepared to take a look at data privacy, and not look at it as SOX controls or PCI controls. But we actually had to look at data privacy individuals, and how to be able to sustain that, and yet still do business, because the very same data is mandatory for marketing and upselling. And all the reasons why we want that data. 

 

So there was a compliance mandate first, the second thing though, the way we looked at it is if we are going to succeed, this is really a trust relationship that we’re establishing with our customers, can they trust us with their data, and GDPR is simply a way for them now to be able to measure that trust. So that for us, it isn’t so much a compliance exercise, as it is realizing this is how they’re going to measure the foundational trust they have in us and being stewards of their data and not reselling it, then also using it in a socially responsible manner. 

 

Because again, think about Levi’s and like with many retailers, were very socially conscious, right? We consider an awful lot of things. And so therefore, that trust and that that social contract is very important to us.

 

Daniel Barber  4:15  

Yeah, I love what you described there around the social contract. I think, you know, if I think about Levi’s motto, you know, people love our clothes and trust our company that really embodies what you just described, which has a philosophy, obviously, I think many companies have and Levi’s is leading in that way. Switching gears a little bit. As you think about your three top sources of information as a security professional. Where do you go to think about security and privacy? What are sort of your go to sources for listeners?

 

Steve Zalewski  4:47  

Great question. There are a lot of places out there. What I will say is what I tried to do is stay abreast of what’s changing. So I’m looking for not detailed source, but more executive overviews of the key breaches, the key vulnerabilities right the key things that are occurring in the industry, both for security and for data privacy, because this is primarily a data privacy issue, but what you’re doing is looking at your security controls, and the way that you are being compromised. Because again, that social contract that trust relationship can be breached, to cyber security gaps. In that case, I say, look at cyberscoop. 

 

It’s an open source, it does a good job on the security side of giving you that kind of quick hit with detail. And so that’s one that I would say some people aren’t aware of. And that was one of my avenues that I look at every morning. If I look at data privacy, data privacy, again, there’s a security component. But this is more on the legal side. Now I’m looking at what are the legal requirements around the country in the world? How are the laws being interpreted against things like GDPR, or California CCPA. 

 

So now, what I’m trying to find is, it’s one thing to pass a law, it’s another thing for business to be compliant with the law and do business. And so the courts then offer an awful lot of guidance as to how to interpret it, and what constitutes compliance. In those cases, I recommend crowl and morning, as a legal company, that puts out a daily report on things that are happening around the world that are of interest to that. And then the second one, which I highly recommend is IAPP, the International Association of privacy professionals, because again, that is now not just a firm, but a whole set of professionals organization designed to give us that kind of overview. So those are the three that I would recommend for somebody that’s interested in looking at data privacy and cybersecurity. 

 

Daniel Barber  7:06  

Awesome. So something that stuck with me, as we spoke last week, was sort of your unique perspective on how you operate your practice, particularly this this concept of business vulnerability management, and how that sort of relates to privacy. Perhaps you could share with listeners what that means to you and how you apply that, within your program today.

 

Steve Zalewski  7:28  

I have a simple question that I oftentimes ask security practitioners or anybody that’s trying to provide me some capability, which is, how does it help me sell jeans, because at the end of the day, that’s what we do. 

 

Now, at the executive board level and our senior leadership level, they are there to sell jeans, they think about the marketing, the sales, the creativity. So as we talked about earlier, when you look at GDPR, ccpa, data privacy, the fact that it is a social contract, that is a trust relationship we’re establishing with our customers on their data, in order for us to be more successful in selling jeans. How do you express that as a business value proposition? 

 

Difficult problem, because security doesn’t make money. Okay, so where we look at it is, let’s not add more security controls. Let’s look at the problem as an insurance policy of business risk issue, which is where and under what circumstances can that trust be violated? Where once it is it will have a consequence on my ability to sell jeans? What we do or the way we think about the problem is all right, then where is the business risk, sufficient enough that an investment in security controls will reduce the likelihood of a business outage of us not being able to make money? okay to do that. 

 

Now, once you think about it that way, I can then say, here’s how we broke it out. So when we go forward, and we talk to people inside our executives, we say there are three things that we do to be able to address unacceptable risk, right in the management of that data for us to sell jeans. First is we have to protect the brand.

 

Again, and what does that mean? If our customers don’t trust us, they don’t buy from us. And so therefore, protection of our e commerce site, where our customer data is where our brand is absolutely critical. 

 

And then to where is the customer data, no matter where it is, that is the most important thing because of the trust. So therefore, where is it? How do we protect it? How do we move it really, really critical. So an investment in those types of controls needed. Second area, protect our workforce. A lot of our people are not knowledge workers, people don’t think about it this way. 

 

But we’re creatives, okay, design, marketing fashion, okay, these people trust each other, they communicate, okay, they’re wired, to be creative and trust and get it done. So therefore, we’re more susceptible to phishing attacks, social engineering attacks than many others. Because, unfortunately, those are the people we want to do our jobs, the ones that trust and have this. So therefore, we have to think about how we manage phishing attacks, social engineering attacks, because that could compromise the accounts and therefore access to consumer data. So we got to do something there. And then the third is a supply chain. Right? 

 

The the sales process has gotten much more complicated, right, the need to be able to process consumer data at near real time speeds to improve the point of sale experience, right? Whether you’re hitting the website, where you go into a store, and then go to e commerce, can we consolidate all that so we have an omni channel experience for you, which means we trust a lot of third party sites with your consumer data, are we doing the right job vetting and making sure that they’re capable of sustaining that same social contract and trust that you’ve put in us, so we look at those three areas. And then on the bottom line, it comes down to two things. 

 

One, we have to protect the confidentiality, integrity and availability of the data, traditional security, right, as we talked about all the time. But the second part is, these attacks, these risks are continuous they happen. And so what we’re doing here is looking at the ability to continuously deliver intended business outcome, despite adverse cyber events. So what we’re saying is, it is inevitable that breaches are going to happen. So what are we doing to be able to contain them, and not make them a crisis for the entire company? So that’s kind of the detail of how we position the risk of GDPR and ccpa. against our investment to reduce that risk?

 

Daniel Barber  12:45  

Yeah, that was wonderful. I hope our listeners appreciate sort of the the depth there. And I just love the simplicity of how does this help us sell more jeans? Because I think that’s a unique position that many security professionals are looking to achieve. And they struggle to get around that corner. Is there any, any lasting advice you provide to your peers in security, and perhaps, you know, spanning into engineering and privacy to as they think about delivering business value?

 

Steve Zalewski  13:12  

Here’s what I would tell everybody. business value. If I look at what it is, Are you here to secure your company? Or are you here to protect your company, okay? business value is about protecting your company, it’s about a business risk conversation, to be able to understand where your key business processes are and what you can do, again, to protect an outage and when it occurs, to work through it, versus implying that security is a mandate, and I will change business processes for security. 

 

When I talk to professionals, including Daniel, when I talked with you this was something that resonated was, it was when we talked about this, as protecting the company to be able to sell jeans, that alternative way of thinking just really opens up your mind to get out of the traditional security box and get much closer to business risk in appreciating security for the value it can had. Even though it doesn’t help you sell jeans, and all of a sudden you’ve bridged that gap. So what I would say to people is just like you’ve had to learn how to think evil and think good. Well, this is the third way to think about it, which was how does it address the business risk to do whatever your company does to provide value to your customers. That’s fantastic.

 

Daniel Barber  14:42  

Steve, I’ve enjoyed our conversation. Once again, thank you for providing these insights for listeners today and look forward to seeing you again soon. And for those tuning in. You will find Steve and many of our other panelists on iTunes on Spotify, and on all the major outlets. Thanks again, Steve.

 

Steve Zalewski  15:03  

All right. Thank you very much, Daniel. Great opportunity.

Share

Stay informed on privacy regulations, weekly insights, and the latest GrailCast updates with our weekly newsletter.