EP 2 – Dispatch From Retail’s Frontline: Building Cyber Resilience

David Puner: You’re listening to the Security Matters podcast. I’m David Puner, a Senior Editorial Manager at CyberArk, the global leader in identity security.

Imagine this scenario: A major retail chain is in the middle of its busiest shopping season. Shoppers jam checkout lines, employees restock shelves at record speed, and credit cards dip and swipe in a rhythmic pulse. But something isn’t right.

An attacker—maybe an insider, maybe someone who just walked in off the street—manages to plug a small, inconspicuous device into a point-of-sale terminal.

At first, nothing seems off. Transactions process as usual. But the retailer’s entire payment system is compromised. The attacker is siphoning credit card data and cloning credentials. The worst part? The breach isn’t detected until customers start reporting fraudulent charges days later.

This scenario isn’t just hypothetical. Retail—one of the most targeted sectors for cyberattacks—faces unique challenges where digital security meets real-world exposure. From AI-powered phishing scams to evolving ransomware threats, attackers are becoming more sophisticated.

The good news? Leaders like our guest today are working to stay ahead of these threats—integrating AI-driven defenses, strengthening cyber resilience, and ensuring that the trust between retailers and consumers remains intact.

Let’s dive in.

Jason James, Chief Information Officer at Aptos Retail, thanks so much for coming on the podcast.

Jason James: Yeah, thanks for having me today.

David Puner: Really excited to talk to you. We haven’t really gone deep on retail in this podcast for a while—maybe ever—so we’ll have to dial that up at some point.

But let’s start with your role. As CIO of Aptos Retail, what does your role entail, and what was your career path to becoming CIO?

Jason James: In my current role, I oversee our cloud operations and global internal IT group, which manages everything from CRM and business systems to talent management systems with HR. I also oversee our business intelligence teams and lead our cybersecurity and compliance divisions.

Aptos is one of the largest software companies in the world that focuses exclusively on retail. We handle everything from point-of-sale to order management and CRM—but specifically within the retail space. If you go into a mall, think of everyone except the anchor stores. Companies like Michael Kors, New Balance, and Crocs—those are the types of brands we serve. We provide our services as a software-as-a-service platform.

As for how I got here—well, it’s been quite the winding road. Every job I’ve ever had has been in technology. I live in Atlanta now, but I grew up a couple of hours south of here in Alabama. When I was 15, while other kids were mowing lawns or working retail jobs, I was laying out Lantastic networks and upgrading PCs.

Since then, I’ve worked in various sectors—telecom, enterprise tech, retail analytics, and even healthcare tech. I’ve been a CIO at two different healthcare tech organizations before returning to retail. But the common thread throughout my career has been infrastructure, data centers, cloud computing, and SaaS delivery.

If the internet made every company a tech company, what we’re seeing now is AI making every tech company an AI company. And that’s where we’re focused as well.

David Puner: That’s a really interesting career path. We’ll definitely get into AI in a few minutes, but let’s go back to your early days. When you were a teenager and everyone else was mowing lawns or taking retail jobs, you were doing what exactly?

Jason James: I was setting up Lantastic networks—think of it as networking for dummies. Small and medium-sized businesses were just starting to network their computers together, connecting three or four desktops so they could share data.

It’s wild to think about now. In my house today, between my wife, my kids, and me, we probably have 40 to 50 connected devices—everything from smart thermostats to doorbell cameras to our laptops and tablets. That’s more networked devices than the businesses I worked on back then.

David Puner: It sounds like tech has always been a passion for you, and ultimately, that’s what led you to where you are today.

Jason James: Absolutely. But it’s more than just the tech side—it’s also the entrepreneurial side. When I was a teenager, those early jobs were essentially consulting gigs. I’d go out to local businesses—sometimes ones my dad knew—who needed help with their IT.

When I started college at Auburn University, I ended up buying the value-added reseller I was working for when I was 19 years old. I took a sabbatical from school to run the business full-time. Later, I went back to finish my degree—I ended up getting my undergrad from Oregon State and my master’s in Applied Information Management from the University of Oregon.

But that entrepreneurial mindset, solving business problems with technology, made me a CIO long before I ever had the title.

David Puner: In your role as CIO of Aptos Retail, are you both outward- and inward-facing?

Jason James: Absolutely. Day-to-day, I’m responsible for keeping the lights on—the foundational things every CIO does. That includes managing business systems, ensuring data integrity, maintaining internal security, and overseeing IT operations.

But I’m also working directly with our largest clients. What security needs do they have? How do we differentiate our products? How do we support their upgrades and deployments? How do we ensure our technology is making their business more efficient and driving profitability?

I’m not in sales, but I serve as a sounding board. CIOs want to talk to other CIOs—we share pain points, discuss challenges, and exchange insights. Sometimes, our conversations extend beyond our own technology. They might ask for guidance on an ERP implementation or a security initiative, and my job is to be a trusted partner and advisor.

David Puner: Retail is one of the most targeted sectors by cyber attackers. Why is that? How does retail compare to other heavily targeted industries, like healthcare?

Jason James: The three most attacked sectors in the U.S. are:

Finance – Because that’s where the money is.
Healthcare/Healthcare Tech – Sensitive personal data makes it a huge target.
Retail – A unique mix of financial transactions and physical exposure.
Retail presents challenges similar to healthcare. You have seasonal or hourly workers who may not have cybersecurity training. But what really makes retail unique is that it’s so physically accessible.

Think about it: what other business allows you to walk right up to the register that handles money? You can literally touch the point-of-sale system in a retail store. That’s not the case in enterprise environments, where it’s nearly impossible to walk into an office building and access a corporate desktop.

This physical accessibility makes retail more vulnerable to threats like credit card skimmers and USB-based attacks. A bad actor could discreetly plug in a rogue device without drawing suspicion. Since retail is customer-centric, businesses hesitate to put up barriers that might interfere with the shopping experience.

And there’s another factor—familiarity. So many people have worked in retail at some point in their lives. They know how these systems work. That includes hackers who may have started out in retail jobs and later learned how to exploit the industry’s weak points.

David Puner: That’s a great point. We all interact with retail—whether as employees or consumers. What’s your perspective on consumer trust and how it relates to security in retail?

Jason James: Consumer trust is everything. If you think about brand loyalty, people have strong preferences. You probably have a favorite sneaker brand, right?

Retailers work hard to protect that relationship. But trust is fragile. A single data breach can damage a brand’s reputation overnight.

Nobody wants to receive an email saying:
“Your personal information has been compromised.”
“Your credit card was exposed.”
“Your Social Security number was leaked.”

Because of this, retailers are making big investments in next-generation security. Five or six years ago, many were still using traditional antivirus. Now, they’re moving toward next-gen endpoint detection and response (EDR) to stay ahead of threats.

Ultimately, protecting customer data means protecting trust—and that trust translates directly into brand loyalty and revenue.

David Puner: Is protecting retail data different from protecting healthcare data? How do regulatory differences impact security strategy?

Jason James: Data is data. The way you protect it is fundamentally the same. What changes is the penalty for failing to protect it.

For example:

PCI compliance violations (credit card data) could lead to fines or a forced reissue of credit cards.
HIPAA violations (healthcare data) could involve U.S. Marshals showing up at your office—a whole different level of enforcement.
Coming from healthcare tech, I brought those highly regulated security best practices into retail. That means:

Next-generation security frameworks
Data segmentation
Strict access controls
Even though retail data may not be regulated to the same extent as healthcare, trust violations can be just as devastating.

David Puner: How do you balance PCI DSS compliance with ensuring a seamless shopping experience?

Jason James: Shift-left security. Build security into the development process, rather than treating it as an afterthought.

There’s an IBM study that found fixing a security issue post-deployment is six times more expensive than addressing it during development.

Security should be woven into the DNA of an organization. Compliance isn’t just about checking a box—it’s about ensuring that every system is designed with security from the ground up.

For us, compliance is a measurement of security, not the goal itself. Security comes first, and compliance is simply a byproduct of good security practices.

David Puner: You mentioned cyber resiliency earlier. What does cyber resilience look like in retail, and how can organizations build it?

Jason James: It’s not just cyber resiliency—it’s business resiliency.

Retail environments can be fragile. Think about the networks at:

Malls – crowded, congested Wi-Fi.
Pop-up events – temporary infrastructure.
Marathons, concerts, festivals – makeshift payment systems.
And then you have major global disruptions—like last year’s CrowdStrike outage, which affected businesses worldwide.

The question is: Can your system withstand disruptions?

With our product, for example, we build a highly resilient system that allows transactions to continue even if the network goes down.

We’ve all been there—holiday shopping season, a packed store, and suddenly the register stops working. That’s frustrating for shoppers, but it’s even worse for seasonal employees trying to keep things moving. They just want to process the sale, close their shift, and go home.

Retailers need systems that can withstand outages without interrupting sales—because resiliency protects revenue and customer trust.

David Puner: Speaking of those seasonal employees—how difficult is it to properly train retail workers on cybersecurity awareness?

Jason James: It’s extremely challenging. The biggest problem? Training has to be engaging.

Think about it:

Retail workers already go through a ton of training—POS systems, customer service, inventory management.
If cybersecurity training is boring, they’ll click through without paying attention.
But cybersecurity is fascinating!

Deepfakes are changing the way we verify identities.
AI-powered phishing is tricking even savvy employees.
That’s why we need interactive training—not just long, boring computer modules.

One thing I do with my security teams is Cybersecurity AMAs (Ask Me Anything).

We discuss: Real-world threats, new attack trends, security tools.
We open the floor: Employees can ask anything.
The goal is to make security relatable. If I can get people to care about protecting their personal data, they’ll also care about protecting corporate data.

David Puner: That makes a lot of sense. At the end of the day, individuals make up organizations—so security starts with each person.

Let’s shift to emerging threats. How do you stay ahead of new cyber threats, especially the unknown ones?

Jason James: It’s a continuous learning process.

I’m constantly engaging with security partners, CISOs, CIOs, CTOs—we share what’s working and what’s not.
I follow threat intelligence feeds for real-time updates.
But beyond that, it’s about relationships—talking to other security leaders to understand what they’re seeing.
It’s harder than ever to be a CIO or CISO today. Twenty years ago, a CIO might oversee one ERP implementation every four years—maybe handle the occasional virus.

Today?

Nation-state attacks.
Ransomware-as-a-service.
Deepfake scams targeting wire transfers.
Global supply chain disruptions.
Remote work vulnerabilities.
It’s not just a technology job anymore—it’s geopolitical, financial, and strategic.

And let’s be honest—the attackers are using AI too.

David Puner: Speaking of AI—how is AI and generative AI transforming retail? What are the security benefits and risks?

Jason James: AI is revolutionizing retail in two major ways:

1. Operational AI – Smarter Business Decisions
Retailers are using AI-driven analytics to:

Identify top-selling items.
Track slow-moving inventory.
Optimize pricing strategies.
Employees who aren’t data scientists can now use chat-based AI tools to analyze trends and get instant insights.

2. Cybersecurity AI – Smarter Threat Detection
AI is game-changing for cyber defense:

It detects slow-moving attacks that unfold over weeks or months.
It spots unusual patterns—for example, if a hacker probes a network subtly over time.
It prevents lateral movement by stopping threats before they escalate.
But here’s the flip side: Attackers are using AI too.

AI-powered phishing emails are flawless—no typos, no weird phrasing.
Fake conversations can be auto-generated to trick employees into wire fraud.
Generative AI scams can create entirely fake email chains that look like ongoing conversations.
We’ve seen cases where an employee receives a fake email thread that looks like a months-long exchange between their CFO and an external vendor—but the whole thing was generated by AI.

That’s why security awareness training can’t be a once-a-year exercise. The threat landscape moves too fast.

David Puner: That’s pretty alarming. Let’s go even further—what about AI agents? As AI evolves beyond task automation, what are the new risks?

Jason James: AI agents are going to completely change cybersecurity—both in good and bad ways.

Right now, AI mostly responds to humans—you type a question, AI gives an answer. But in the near future, AI agents will start talking to each other.

Example:

A Salesforce AI agent talks to a Workday AI agent to process employee data.
A Copilot AI agent fetches analytics from multiple sources to generate reports.
But what happens if one of those AI agents gets compromised?

A malicious AI agent could start modifying data in subtle ways.
AI could start issuing unauthorized transactions or creating fake reports.
It’s going to introduce a new kind of insider threat—one that isn’t human.

We have to start thinking now about how to monitor and protect AI agents.

How do we segment AI agents?
How do we track their activity?
What happens if an AI agent starts acting “off”?
The stakes are high. Just look at what big tech is spending on AI infrastructure:

Google: $75 billion
Microsoft: $80 billion
Amazon: $100 billion
Meta: $65 billion
That’s wartime spending. AI is our generation’s Manhattan Project.

And when the technology evolves this fast, security risks evolve just as fast.

David Puner: That’s a great point. With AI advancing so quickly, how does machine identity factor into security?

Jason James: Machine identity is the next big security frontier.

We’ve spent years perfecting human identity security—multi-factor authentication, biometrics, zero trust principles. But what about non-human identities?

How do we verify an AI agent?
How do we ensure a machine-only process isn’t compromised?
How do we limit what a machine identity can access?
Right now, organizations struggle with human identity security—there are still companies that haven’t fully implemented privileged access controls. But machine identities? They’re multiplying exponentially.

A modern enterprise might have 10 times more machine identities than human ones.

Every cloud service has an identity.
Every API connection has an identity.
Every AI model making business decisions has an identity.
The challenge is controlling machine identities at scale. If an attacker compromises a machine identity, they could move laterally across multiple systems without triggering traditional alerts.

David Puner: That makes sense—especially when everything is so interconnected. What about supply chain security? How does that play into your security strategy?

Jason James: Supply chain security is top of mind—especially with tariffs and global disruptions.

For retailers, supply chain security has two major concerns:

Product availability – Where are you sourcing goods?
Software security – Are you using trusted vendors?
For example, a lot of retail hardware—payment terminals, scanners, kiosks—comes from China. With increased tariffs, we’re seeing shifts to alternative suppliers in Vietnam and Cambodia. That means:

Longer lead times for hardware.
More third-party vendors in the supply chain.
New security risks if suppliers aren’t vetted properly.
Then there’s the software side. Many retailers rely on third-party software integrations—from POS systems to order management tools.

If a supplier gets compromised, the whole chain is at risk. That’s why vendor security assessments are critical.

David Puner: Let’s talk digital transformation. How do you approach digital transformation while maintaining strong cybersecurity measures?

Jason James: Transformation should always be tied to a business goal.

Does it improve efficiency?
Does it reduce costs?
Does it remove friction?
You don’t adopt technology for the sake of it. Every transformation should have a clear return on investment.

From a security standpoint, modernizing identity is a huge focus.

Moving from passwords to biometrics.
Embedding security into authentication.
Reducing friction while strengthening protection.
For example, biometric authentication (face recognition, fingerprint scanning) removes the need for employees to remember 14-character passwords.

And security should never slow down the business. There are tools today that embed VPN connectivity into the operating system, so employees don’t even have to launch a VPN manually.

David Puner: What about cloud security? How do you balance accessibility and security in a cloud-first environment?

Jason James: The security of big cloud providers—AWS, Azure, Google Cloud—is strong. The challenge isn’t securing the cloud itself—it’s:

Managing data sovereignty (keeping data where it legally belongs).
Protecting identities across multiple cloud services.
For global retailers, data residency laws are a huge factor. You can’t store customer data from France in a U.S. data center without violating regulations. That’s why cloud strategy isn’t just about security—it’s also about compliance.

And then there’s AI’s impact on cloud infrastructure.

AI models require massive computing power.
The demand for GPUs is skyrocketing.
Data centers are running out of power capacity.
Case in point—the first new U.S. nuclear power plant in decades just went online in Georgia, and over 50% of its energy is being allocated to data centers.

The future of cloud security will also be tied to power availability and infrastructure expansion.

David Puner: That’s fascinating. With so much complexity, how do you balance people, process, and technology in your security approach?

Jason James: People are the most important part of the equation.

At the end of the day, technology is just a tool. You need the right people and the right culture to make it work.

A strong security culture means:

Employees understand the “why” behind security.
Leaders prioritize security in decision-making.
Security teams communicate in a way that makes sense to the business.
As a CIO, I’m always thinking:

How do I motivate people to embrace change?
How do I explain security in a way that resonates with executives?
How do I ensure security is an enabler—not a roadblock?
Ultimately, it’s about building trust—within the organization and with customers.

David Puner: That’s a great perspective. One last question—Atlanta is known for a lot of things, but how’s the pizza?

Jason James: Honestly? Not great.

David Puner: Good to know. Up in Boston, we’ve got the same problem.

Jason James: There are a few Neapolitan spots that are pretty solid. But whenever I’m in New York, I make sure to grab a slice.

David Puner: That’s the way to do it. Jason, thanks so much for coming on Security Matters. This was a fantastic conversation, and we hope to have you back soon.

Jason James: Thanks, David—really enjoyed it.

David Puner: And that’s it for this episode of Security Matters. If you enjoyed the show, follow us wherever you get your podcasts so you don’t miss new episodes.

If you have ideas for future topics, drop us a line at [email protected].

Thanks for listening—see you next time!