-2.jpg)
Retail CISOs face a threat landscape where prevention alone cannot carry the full weight of security strategy. Wisdom Aveh argues that resilience depends on preparation, clear communication and customer trust.
Retail security leaders are under pressure to keep complex, customer-facing operations running in the face of an ever more pervasive threat landscape.
Retail ecommerce depends on secure, available systems. In the event of a breach, the impact can quickly escalate to lost revenue, frustrated customers, and reputational damage.
Wisdom Aveh, founder of Perceptive Risk Consultancy and currently serving Head of Information Security and Data Protection Officer (DPO) at Kurt Geiger, argues that CISOs must plan around the assumption that an incident will happen. The goal is to limit damage, maintain continuity, and recover quickly when systems or data are put at risk.
“In the past, security has just been modeled on defense and prevention,” he says. “But whether we like it or not, we need to now adapt to the model of assumed breach.”
That mindset changes how security leaders set priorities. Rather than trying to protect every system equally, Aveh says CISOs must identify the assets that matter most to the business.
“What will affect your revenue? What will affect the business risk?” he says. “Security risk helps to protect the business risk.”
Preparation Determines How Well Organisations Respond
When an incident occurs, the difference between a controlled response and a chaotic one is often how well the organisation has prepared for that eventuality.
Aveh says many organisations have incident response documentation, business continuity plans, and escalation procedures. But those documents only become useful when teams understand them, practice them, and know how decisions will be made under pressure.
“Do we understand our communication channel? How empowered are we to make a decision? Who makes that right decision?” he asks.
Those questions become critical during a live incident. Without clear roles and decision rights, business priorities, and security priorities can quickly come into conflict.
Aveh recommends regular simulations and drills that test more than technical recovery. These exercises should clarify who needs to be involved, what stakeholders are responsible for, which assets are most critical, and how the organisation will communicate throughout the incident.
“How do you recover? Everything needs to be practiced and tested,” he says.
Communication Can Shape the Outcome of an Incident
Speed matters during a breach, but Aveh warns that fast communication without care can create new problems.
“You need to act fast. You need to communicate carefully,” he says. “Communication itself, if you don’t know what to do and what to say, can be more detrimental than the incident itself.”
For CISOs, this means understanding the needs of different audiences. Board members and senior executives usually need a clear view of business impact, recovery status, customer risk, and next steps. Technical teams may need more detailed instructions. Customers and regulators may require accurate, timely updates, depending on the nature of the incident.
Aveh also highlights the importance of regular updates, even when there is little new information to share. During a crisis, silence can increase pressure on the response team and encourage stakeholders to seek answers through informal channels.
“Let them know that they are going to get maybe update every five minutes to every 10 minutes,” he says.
The leadership challenge, he adds, is to prevent pressure from driving poor decisions. “Pressure itself is the situation,” he says. “But if you allow that pressure to have influence on you, that means it becomes the decision.”
Customer Trust Depends on Data Discipline
Retail organisations collect large volumes of customer and payment-related data. Aveh says security leaders should challenge the assumption that collecting more data is always valuable.
“You don’t need to collect too much information if you don’t need them,” he says.
He points to GDPR and the principle of data minimisation as useful guides. Organisations should understand what data they collect, why they collect it, where it is stored, who can access it, and how long it is retained.
That visibility helps reduce the attack surface. It also supports better conversations with business teams, especially in areas such as marketing and sales, where customer information is often seen as commercially valuable.
Aveh says security leaders must advise the business clearly on the risks attached to data collection and retention.
“We don’t generate revenue, we protect revenue,” he says. “We advise the business that if something happens, this is what is going to go wrong.”
Transparency also plays a central role in customer trust. Customers should understand how their information will be used, how it will be protected, and whether they will be informed if something goes wrong.
“If your reputation is damaged, that means you don’t have a business,” Aveh says.
Compliance Should Support Security By Design
Many organisations still approach cyber security primarily through compliance. Aveh sees value in regulatory requirements, but he cautions against treating compliance as the destination.
The risk, he argues, is that organisations can pass audits while still lacking mature security practices. A checklist can confirm that controls exist, but resilience depends on how those controls operate in real business conditions.
Aveh encourages security leaders to promote security by design. That means considering data protection, access, encryption, retention, and customer choice at the start of a process, rather than adding controls after decisions have already been made.
“We need to educate the leaders,” he says. “Security is always the educator within the business.”
AI Governance Is Becoming a CISO Priority
Looking ahead, Aveh sees AI as one of the most urgent issues for security leaders.
AI tools can increase productivity across the business, but they also introduce new risks, including shadow AI, data exposure, deepfakes, phishing, and AI-assisted malware campaigns.
“You can’t ban AI because everyone is using it,” Aveh says. “But you need to put a mechanism in place to ensure that there is security and governance around it.”
That governance will require collaboration across departments. If marketing, sales, customer service, or other teams are using AI tools, CISOs need to understand how those tools handle data and whether they create new exposure.
Aveh also stresses the continuing importance of education. As attackers use AI to make scams more convincing, employees need to become more aware of social engineering risks.
“We are the greatest assets within organisation, but we are the biggest risk as well,” he says.
__
Join your peers at CISO UK to explore how leading CISOs are building practical frameworks for secure AI adoption, balancing innovation with resilience, and redefining what effective cybersecurity leadership looks like in the AI era.
