The chief information officer at a nationwide furniture retailer talks about getting past Armageddon-like fear and how the upcoming Midsize Enterprise Summit: IT Security conference will give attendees a place to share their concerns in a safe setting.

Ben Cranmore is the chief information officer with Furniture Mart USA. He’s also a charter member of the Midsize Enterprise Summit IT Security Advisory Board, where he’s driving content for our upcoming Midsize Enterprise Summit: IT Security event, which takes place May 22-23 in Jacksonville, FL.

The MES: IT Security event will give attendees peer advice, plenty of networking opportunities, face time with award-winning vendors, the chance to hear about the latest products and solutions to protect your data from constantly evolving threats, and more.

We chatted with Ben recently about the security problems his organization has faced, how organizations can fight data breaches, and what to expect from the MES: IT Security event. Here are highlights from that conversation:

Ben, what can you tell us first about your organization and your role in your organization?

I have been a “conversion” expert for the last 30 years with 11 of my “clients” being in the furniture retail arena. My current employer was one of my clients that 15 years ago decided they could not do without me being on the staff. I was tired of traveling 50 of 52 weeks all over the world, so I did it. I am the CIO for the organization with full authority for everything IT-related which includes anything with a power button, including copiers, fax machines, phone systems, and security systems. We grew from $55M/year gross revenues when I joined the company in 2003 to this year topping $250M/year (500%) with a great deal of the increase directly attributed to automation and IT efforts.

What interested you in being on the MES IT Security Advisory Board?

Anyone in IT has been constantly “bombarded” with Armageddon-like fear by everyone, not just the vendors selling security software. We are afraid to leave our homes since the sky will surely fall today! I can be afraid of “stubbing my toe, I can be afraid of crossing a busy intersection during rush-hour traffic. While both scenarios result in fear, it is easy to see that one far outsizes the other. I know from my past personal experience that to lead a function, you often learn more than simply being led. I would rather “rightly divine” the correct setting than be led by someone who may or may not understand the setting. I would rather be a teacher (and have to study harder) than to be a follower and just consume another’s teachings.

Have you had any problems with security in your company?

The difference between a minor security breach and a major security breach depends on whether it happens to you or to someone else. We had a security breach -- the good ole CEO impersonation to gain privileged data. In our case, it was W2 data on all of our employees. Our first reaction was, “Oh my God, the sky just fell” with every C-level executive running for cover (or mostly looking to me to decide what to do next), even though it was a breach by an accounting clerk involving email. We engaged the services of a remediation firm, $40K-plus for a letter and enrollment in a credit monitoring service for our employees. No employees’ personal data was taken advantage of.

What takeaways and/or lessons learned did you have from the breach?

It took us too long to engage a response. We were more terrified that the breach required. We created a SOP to respond much quicker in the future. We engaged with an anti-phishing training company.

How can SMBs do a better job of protecting themselves against data breaches?

Spend available dollars for security very wisely. There will never be enough dollars to purchase everything available and, even if you did buy everything available, there is no 100% guarantee that you are safe. Remember, your desired objective is to make your company a harder target than the next guy. It’s like the old story of how do you survive being chased by a bear? Run faster than the other guy. You can’t outrun the bear.

How can the MES IT Security conference help the SMB audience improve their data security?

Education, education, education. By making relevant facts available. Demystifying the fear mongering associated by security vendors. Providing a “safe place” for SMB to discuss their concerns without retribution. Providing a venue for ongoing networking between like organizations.