Boohoo Group and the cost of cybersecurity infrastructure
Founded in the heart of Manchester’s historic textile district in 2006, today Boohoo Group PLC is home to a portfolio of innovative fashion brands targeting style and quality-conscious consumers with up-to-date and inspirational fashion. What started as one brand has grown extensively in the UK and internationally, and today represents a platform of multiple brands servicing customers globally, generating sales in excess of £1bn.
With a total of 13 brands under one group, Boohoo sells its clothing and accessory lines to a wide range of demographics from 18 years old and upwards. “One of the great things about the brand is that it really does cover a lot of ages and a lot of demographics,” explains Dorian Skeete, the group’s Head of Information Security. “Ultimately, we have the ambition to become the number one retail and e-commerce brand in the world.”
Creating Boohoo Group’s security strategy
Having spent 14 years in roles at the UK government, before consultancy roles including a year at IBM, Skeete has a wide range of experience in the information security field.
Joining Boohoo in June 2022, one of Skeete’s first actions was to create the group’s security strategy, ensuring the delivery of all cybersecurity processes, training programs, maintenance and growth activities continue to take place at the highest standard
“One big buzzword for our security strategy at the moment is consolidation,” he explains. “We have quite a complex environment and a number of tech stacks that need protecting in different ways.
“When it came to creating our security strategy, we needed to look at consolidating how we do that, not just in terms of the tooling and technology that we use and the vendors that come with that, but also streamlining our policies and processes and resources to do that across the wider group.”
But as Skeete explains, with 13 brands to think about, achieving this was no easy task. “It wasn’t easy, but it certainly was something that needed to be done,” he comments.
“Don't get me wrong, we're not starting from the bottom, but we certainly do have a journey to navigate in terms of where we are now and where our future state needs to be.”
The focus on the bottom line
With the focus on the bottom line at the front and centre of every CISO’s mind, especially in a post-pandemic world, continuing to deliver high-quality security programmes while managing a corporate budget is a constant challenge. As Skeete explains, efficiency is key.
“We're all aware of the economic downturn at the moment, the climate that all industries are living in and that brings its own challenges at Boohoo,” he describes. “We don't have a lot of fat to work with, so you have to make sure the resources, the tooling that you are using is used to its utmost, that you're squeezing as much as possible out of all of it.
“One of the ways we do that,” Skeete adds, “is by making sure that our staff are as trained on the tools and the platforms as possible and that we're wasting as little time and effort as possible.”
When it came to creating Boohoo Group’s security strategy, keeping the security team aligned with the business as a whole was key.
“I made sure that the strategy is directly aligned to business objectives,” Skeete explains. “We need to be enabling the business to achieve what it wants to achieve. I know that security has quite a bad rap sometimes of being the department or the capability that always says no, and I want to change that viewpoint, certainly in Boohoo.
“It's not about saying no, but about asking how we can work safely. It's all about teaching that mantra to the staff, who are our key stakeholders around the business, and bringing them on the journey. We have two very good governance structures that we've set up that have representation from the likes of HR and legal, to the wider technology group to make sure that we're bringing them on the journey with us.
“It's not about us dictating to them what we think is the best thing to do, but we want it to have a more collaborative approach that we can help guide and transform the business alongside us.”
As Skeete describes, when it comes to the continued delivery of Boohoo’s security programmes, it is crucial to keep the group’s core values in mind.
“A lot of our focus has to be on business as usual, keeping the lights on, making sure revenue's coming in and making sure security is underpinning those core business objectives in terms of making as much money as possible,” Skeete comments. “But also alongside that is the project work, some of the work streams in the strategy that needs to run in parallel to make sure that we're meeting the goals of continuous improvement as well.
“Doing all of this at scale is certainly not easy,” he explains. “I've got a diverse, amazing team, multi-skilled in different pillars of information security, but despite that, we do lean on some of the great relationships we have with vendors and suppliers.”
Partnerships ensuring ongoing success
As Skeete explains, working as a multi-discipline team means it is important for Boohoo Group to work with a range of partners and vendors to ensure continued success.
“Some of our partnerships are relatively new, like in the case of our partnership with SenseOn, but with others, we've built up a partnership over a number of years,” he describes. Working collaboratively, in a true partnership, is crucial for Boohoo, ensuring that both sides are singing from the same hymn sheet.
“We don't want this to be just a vendor and customer relationship,” Skeete says. “It really is a partnership, and we bring them on the journey with us. Our partners are acutely aware of our strategy, what we're trying to achieve and what their role in achieving that is. This means we're all aligned, and that we're all singing from the same hymn sheet essentially.
“Because we consume lots of different services, that's especially important for us. So for instance, we have a 24/7 security operations centre (SOC) alongside SenseOn. Because of the functions of a SOC, we need to be plugged in and it needs to be a bilateral relationship. We really do push the partnership angle as opposed to just a vendor that we've bought something off of.”
As Skeete explains, Boohoo’s partnerships are vital to the group’s ongoing success.
“To be honest, it would be difficult for the security function to function without them,” he says. “It was something that I was aware of as soon as I joined that partnerships with our external providers are extremely important to the security eco-system at Boohoo.
“I think one of the other advantages of having that external help and expertise is that not only can we lean on it, but we can use it to help upskill our internal staff so that they can grow in their career and personal development as well. There's lots of great expertise that we have with those partners and they're teaching us things every day. So that's great for my staff.”
Delivery of security strategy
For Skeete and Boohoo Group, the number one priority for the near future is ensuring the business gets through the current economic challenges unscathed, while remaining secure at the same time
“We will also be focused on the delivery of the strategy, the really important work streams that we've got in flight at the moment in terms of implementing some new tooling, gaining consolidation and efficiencies,” Skeete adds. “Looking internally, we will be looking at what processes we can improve. Building up our own information security framework, our own information security risk framework, feeding that into the new governance levels that we've created and just generally making a much more cyber-mature organisation.”
Future trends such as zero trust are also on the radar for the future, as organisations increasingly face more frequent and more sophisticated attacks.
“You can't travel too far without hearing buzzwords like zero trust and that's something that's on our radar too,” Skeete explains. “It seems like every day there is another company that has been hit, either with ransomware or some kind of double-dip data breach. So I see that trend continuing.
“Ransomware won't just be about encrypting the data that you have,” he adds. “It'll be about extorting companies not only to unencrypt that data, but to stop it from being transmitted and sold to the wider world as well. So I see that being a big thing.”
With generative AI-related threats creating new challenges for security teams, businesses will need to work proactively in future and keep these threats on their radar.
“ChatGPT is a huge buzzword at the moment,” Skeete concludes. “There were initially stories about using it to write malware and so on. I think not just from ChatGPT, but other open source machine learning capabilities, that's got to be something that's on everyone's radar at the moment and thinking about what we can do to combat that. Malware is such a scalable threat as it is and with AI machine learning, they're only going to add to that.”