Case Studies

Mitigating Risk: How a Retail Chain Built a Compelling Security Investment Case

Getting your Trinity Audio player ready...


A North American retail chain with nearly 30k employees, 1k stores, and an extensive network of 3rd party suppliers struggled with expanding their Information Security program beyond a vulnerability-only focus. The CISO knew that they needed to look more broadly at exposures including Active Directory, exposed credentials, and misconfigurations, but had limited success in getting the Board to agree to that vision. The CISO needed a way to document and communicate risk and risk reduction progress in terms the Board would understand to convince them to support the change.

The Challenge

Many retailers operate in a complex and highly competitive space where small changes can have a significant impact on the profitability of the overall business. The customer knew that a breach would put employee, customer, and supplier data at risk, leading to increased churn and reduced operating margins. They had a mature vulnerability management program that, while effective at helping them manage vulnerabilities, did not deliver a comprehensive view into the broader exposures that are part of how an attacker would move laterally throughout the business, seeking critical assets.

The current vulnerability management team lead was hesitant to add more to his plate and his team already had more than they could manage. Remediations across the business were a labor-intensive task, often requiring multiple days each week, when their vulnerability management solution flagged a high severity issue. Despite that effort, the program missed the larger exposure perspective because of the vulnerability-centric focus.

While the CISO had a working relationship with the Board, what he was lacking was the data to show the problem, in terms they could understand and appreciate, to get budget approval to address the gaps.

The Solution

Working with the XM Cyber team, a multi-stage plan to build a technical and financial case to the Board was developed. The team used the PCI-DSS compliance mandate as a compelling event to deploy to a portion of the business to demonstrate the value. The alignment between the customer’s SecOps, IT and XM Cyber meant a frictionless rollout to over 4,000 endpoints, including servers and workstations, across the corporate and in remote store locations, running a blend of Linux\Win\macOS and the multiple cloud services used. No additional FTEs were required, and more importantly, no weekend or off hours work for the team.

The CISO and the XM Cyber team established a framework to build a financial case that would be used in conjunction with an executive risk report. The goal would be to show the technical and financial leadership teams along with the entire Board how the business would reduce risk and improve their financial position with XM Cyber.

The Results

One of the earliest wins the CISO achieved was to confirm suspicions about vulnerabilities being only part of the concern for the business. Like many organizations, employee endpoints were equipped with full disk encryption to minimize impact from a lost device. There was an AD group to help manage this deployment, members of this group had unfettered access to admin controls. The CISO quickly learned that the AD group had evolved from a controlled group of admins with the need to have access to a far larger group. This exposed nearly any device to potential misuse, compromise, and being part of a larger event. XM Cyber identified this on the initial scan, and his team was then able to address it within the first week.
Initially hesitant to take on more solutions, the vulnerability management team lead quickly became a huge fan of how XM Cyber made his team far more efficient. Previously he relied on CVSS scores and custom-built rules that required regular updating to assign vulnerabilities to SecOps and ultimately IT to remediate. When he provided a list of issues, IT would push back for “…just the top 10.”

Without a strong case for prioritization, the vulnerability management team lead would strive for them all to be fixed, not knowing which could prevent an incident. With XM Cyber’s Attack Graph Analysis™, he was able to narrow the list to the top few that addressed the riskiest exposures – those on an attack path to a business-critical asset or service putting operations at risk. IT could take this list and create a detailed remediation plan to execute upon during normal service windows. This collaboration eliminated impact on the retail stores and their 24×7 need to service customers.


To reduce the scope of their PCI-DSS audits, the business segmented their networks, but they needed a way to prove how effective their walls were. XM Cyber’s attack simulation was able to find and document how lateral movement through an unsecured file share allowed an attacker from a remote location to laterally move into the corporate environment and compromise business critical assets. The CISO and his team were able to resolve this issue and shore up their segmentation.

The final piece was the technical and business case that the CISO delivered to the executive team and the board. The first part was documenting the overall risk score of the business and identifying hot spots to resolve 1st. But more importantly was the financial case that showed the ROI of XM Cyber across 3 dimensions: How this investment avoids the potential cost of breach, how the investment drives cost reduction immediately and how it drives operational efficiency. The business case the CISO presented, and that the entire team bought in on, showed a $5mm annualized savings across these three dimensions. From reduced pen testing and red teaming to more efficient remediation processes, the CISO spoke to the financial benefits.




Find and fix the exposures that put your critical assets at risk with ultra-efficient remediation.

See what attackers see, so you can stop them from doing what attackers do.