Retail giants have a target on their backs. Hackers are picking them apart at a rate rarely seen in other industries.
Louis Vuitton and Dior are part of a growing number of household names affected. Their breaches alone may have cost them upwards of $25 million. Moreover, Google has warned that the hacker group that cost British retailer M&S $400 million in a data breach is headed stateside.
For as long as the retail sector remains reactive, rather than proactive, the target on its back will grow. Trust in retailers will continue to shrink. Customers will remain exposed. And every breach poses a significant legal, and in turn financial, risk to the retailer in question.
Simply spending more on the latest cybersecurity defences won’t solve this issue. Cybersecurity is built for current and past scenarios and exposure points. It’s a reactive solution by its nature.
Retailers must now invest in new talent and expertise. Because proper talent adapts to evolving issues. It’s a proactive, long-term solution.
There’s a tendency throughout the retail sector to view cybersecurity as nothing more than an IT function. But treating cybersecurity like a quick tech fix is like slapping a Band-Aid on a chronic wound.
The sector needs a shift in mindset. Cybersecurity must be treated as a core strategic priority. That means more than just installing firewalls. It means building playbooks, protocols, and airtight best practices.
But doing that requires deep, specialized expertise. What the sector truly lacks – and, until now, has been dangerously complacent about – is executive-level cybersecurity leadership.
Only 19% of CISOs in the retail and hospitality sector even report to business executives, according to an Accenture CISO benchmark report, demonstrating that cyber isn’t treated as a core business issue in the sector – let alone at an executive level.
Sector-wide change is almost impossible to achieve one company at a time. That’s why the National Retail Federation (NRF) must step up and lead the charge in confronting retail’s growing cybersecurity threat.
As one of the world’s largest retail trade bodies, the NRF is uniquely positioned to drive this shift. Its reach spans from global brands to independent boutiques, and it already plays a central role in setting best practices and shaping policy.
But it’s time to go further. It must begin actively building the leadership talent the sector urgently needs.
That starts with a dedicated cybersecurity talent incubator: a pipeline program designed to develop and acquire executive-ready cybersecurity leaders who not only understand the technical complexity of modern threats, but also the specific operational pressures retailers face every day.
This isn’t about generic IT training. It’s about cultivating strategic cybersecurity leaders. Experts who can steer businesses through choppy storms, maintaining operational continuity in the face of cybersecurity disruption.
The NRF should secure funding and backing from across the sector, from major retail chains and digital-native brands to retail tech vendors. Every firm with a vested interest in building a more secure, resilient ecosystem should be a part of this shared commitment.
With additional funding at its disposal, the NRF can build on its existing advisory work and evolve its role into something transformative – by establishing a cybersecurity talent Incubator.
It would act a bit like an apprenticeship and offer two clear pathways: a six-month program for graduates and emerging professionals, and a flexible, modular training course for those already working in junior security roles. Pipeline graduates could then move directly into placements throughout NRF’s network, embedding fresh talent across the sector.
To give this initiative wings, the NRF should assemble a cohort of veteran cybersecurity leaders to mentor and shape the next generation of cybersecurity talent. From battle-tested CISOs who’ve seen every kind of breach to incident responders who know exactly what to do when a crisis hits. For those leaders, it’s a chance to expand their influence and access the next generation of high-potential recruits.
But there’s also room here for the NRF to partner with universities to secure and attract that future talent – giving students a clear pathway for development, while allowing institutions to connect academic expertise with real-world industry needs.
Ultimately, this requires a sector-wide mindset shift. Retailers can no longer view cybersecurity as a tedious outsourcing expense. It needs to be seen as a long-term, strategic investment. A way of building consumer trust, profitability, and future-proofing the business.
Cybersecurity needs to become a boardroom issue, with funding ring-fenced for hiring cybersecurity talent, continuous upskilling at every level, and digital resilience measured as closely as financial performance.
Retail’s cybersecurity threat is only growing. Especially as AI lowers the barrier for cybercriminals and increases the scale of potential damage. More tools won’t solve the problem. Leadership will.
The NRF has the reach, the influence, and the responsibility to lead this transformation: by building the cybersecurity talent the retail sector needs from the ground up. We’re in an age where a single breach can bring a business to its knees. Cybersecurity isn’t just protection – it’s survival.