If you want to do business with Home Depot, you've got to get past information risk manager Tony Spurlin's team of engineers. Using comprehensive evaluation processes and his homegrown assessment framework, his team examines potential partners' cor- porate security posture. Partners that haven't nailed down their security don't connect to Home Depot.
How rigorous is your certification process? We have to provide an on-site assessment for our partners if they want to connect to us or use our data in any way. A team of engineers travels on site, and [the partner] goes through an interview, which is standardized and based on an information security framework I developed. It's a top-down, drilled down look at their corporate security posture, policies, technology solutions, and management and monitoring of security policies. Then, there's a final gap analysis to determine if they are in compliance with Home Depot policies.
Do you run into resistance from partners? If there are issues, we recommend remediation, and they must remediate before anything goes into production. Most realize the value-add this provides. We report to them a good snapshot of their information security operation. They tell us it's just like a Big Four audit, and they learn a lot from it. It's done at no charge; it's part of doing business. We take managing our brand and customer data very seriously.
What security demands do you make of partners? We demand they have an established information security program and policies. From a technology standpoint, it's the usual cast of characters: a firewall set to privileged access, strong access controls, antivirus that's up to date and constantly monitored, intrusion detection, an established and repeatable patch management process, and a vulnerability management process. We also look at how well they build servers. They need to have a standardized reference model with security elements.
What is the return for Home Depot? The return is huge. We're an $83 billion company, so you can imagine the volume of business we do. The cost of sending staff on an assessment is less than 1/10th of a percent of that.
Was it an easy sell to upper management? It was not a tough sell; everybody jumped on board. We have a Wall of Shame in our office where we pin all the data-breach headlines as they happen. When an executive asks why we need to do this, we walk them by the wall.
Read the complete interview at searchsecurity.com/ismag