Groupe Rocher CISO on strengthening a modern retail cybersecurity strategy

Global retail and beauty brands manage a unique cybersecurity balancing act. They depend on consumer trust, massive volumes of personal data, and a sprawling network of vendors, while also managing thousands of physical locations and dynamic digital growth.

In this Help Net Security interview, Jérôme Etienne, Group CISO, Groupe Rocher shares practical insights on closing strategy gaps, managing third-party risk, and securing online and in-store environments. In the conversation, he also discusses why point-of-sale and in-store systems can no longer be treated as secondary security concerns, especially as attackers increasingly target overlooked technologies. He also explains how CISOs can build a unified global security strategy that meets regional regulatory demands without creating fragmented policies and inconsistent controls.

Global retail and beauty brands sit at the intersection of consumer trust, complex supply chains, and aggressive growth targets. When you look at a typical enterprise in this space, where do you most often see a disconnect between stated cybersecurity strategy and actual business risk?

In the retail and beauty sectors, a common disconnect arises from the gap between the strategic intent of cybersecurity measures and their operational execution. This often manifests in the misalignment of cybersecurity priorities with actual business risks, particularly in areas like supply chain vulnerabilities and consumer data protection.

Enterprises might declare robust cybersecurity strategies yet fail to adequately address the threats posed by complex supply chains and aggressive digital transformation efforts. To bridge this gap, at Groupe Rocher, we have chosen to integrate cybersecurity into the core business strategy, ensuring that security measures are not only reactive but also predictive, leveraging threat intelligence to anticipate and mitigate risks effectively. Adhering to broader cybersecurity and regulatory best practices allows us to strengthen this alignment by requiring a comprehensive risk management approach, encompassing supply chain security, robust incident response capabilities, and overall resilience against evolving threats.

Additionally, we encourage a culture of cybersecurity awareness across all levels of the organization can help ensure that everyone understands their role in maintaining security. Regular training sessions and open communication about potential threats can empower our employees to act as the first line of defense against cyber risks.

Many brands focus heavily on securing e-commerce platforms but treat point-of-sale and in-store technologies as “solved problems.” Is that assumption still valid in 2026?

It’s also important to remember that vulnerabilities aren’t always about technology. Often, they come from poor practices, like using weak passwords, having too much access, or not using multi-factor authentication (MFA). Criminals might use phishing or social engineering attacks to steal access from their victims. We have started integrating AI-driven threat detection and response as a first step forward improving the security of both digital and physical retail spaces.

The idea that point-of-sale (POS) and in-store technologies are “solved problems” is becoming outdated as we move towards 2026, especially for a group like ours, which operates around 2,500 worldwide. Cyber threats are getting more advanced, especially targeting IoT devices and older systems, so we need to rethink our security strategies. Retail and beauty brands should have a complete security plan that covers both online platforms and in-store tech. This means using strong protection for devices, keeping an eye on systems all the time, and doing regular security checks to make sure everything is safe from new threats.

Furthermore, regular staff training on cybersecurity awareness can play an important role in preventing breaches. Our employees are well-informed about the latest phishing tactics and encouraged to report suspicious activities promptly. This proactive approach safeguards technology and empowers the workforce to be vigilant against potential threats.

Global beauty brands rely on a sprawling ecosystem of vendors: marketing tech, logistics providers, payment processors, influencers, and marketplaces. At what point does third-party risk become a brand risk?

Third-party risk becomes a brand risk when the security posture of vendors directly impacts the brand’s reputation and operational integrity. In the beauty industry, where brands rely on a diverse ecosystem of vendors – even for company like Groupe Rocher which manufactures nearly 90% of its product in-house, the risk is amplified by the interconnectedness of digital platforms and supply chains.

To mitigate this risk, we have implemented a rigorous third-party risk management framework that includes thorough vendor assessments, continuous monitoring, and contractual obligations for cybersecurity standards. Cybersecurity and regulatory best practices on supply chain security can guide brands in establishing robust controls and ensuring compliance across their vendor network.

Additionally, fostering open communication and collaboration with vendors can help identify potential vulnerabilities early. We regularly organize workshops and joint security drills that can enhance mutual understanding and preparedness. By building strong partnerships and emphasizing shared security goals, brands can create a resilient network that not only protects their interests but also strengthens the entire ecosystem against evolving threats.

Loyalty programs, personalization engines, and AI-driven recommendations depend on rich consumer data. How should retail and beauty brands recalibrate data protection strategies as regulators and consumers become less tolerant of “data-first” business models?

As both regulators and consumers become less accepting of business models that prioritize data above all else, retail and beauty brands need to change how they protect data, focusing more on privacy and transparency. This means designing systems with privacy in mind from the start, improving data encryption, and setting up strong access controls.

Brands should also invest in educating consumers and communicating openly about how their data is used, which helps build trust and ensures compliance with data protection laws. Various global regulations and standards emphasize data security and incident reporting, offering a framework for brands to enhance their data protection strategies and meet regulatory expectations worldwide.

Additionally, brands can benefit from adopting a more consumer-centric approach, where feedback mechanisms are in place to understand consumer concerns and preferences regarding data usage. We conduct regular audits and assessments to identify gaps in data protection and continuously improve our controls. By prioritizing transparency and actively engaging with consumers, we aim to foster a sense of partnership and shared responsibility in safeguarding personal information.
 

How should CISOs in retail and beauty think about aligning cybersecurity strategy with regional regulatory realities without fragmenting their security posture?

CISOs in the retail and beauty sectors should adopt a unified cybersecurity strategy that accommodates regional regulatory variations without fragmenting their security posture. This requires a flexible framework that allows for regional adaptations while maintaining a consistent global security standard. Leveraging centralized security operations centre (SOC) and adopting a modular approach to compliance can help us manage regional regulatory requirements effectively.

Drawing from over 25 years of experience, I can attest that the key to success lies in understanding the nuances of each region’s regulatory landscape. It’s not just about compliance; it’s about building relationships with local regulators and stakeholders to ensure a proactive approach to security.

Regularly updating policies and procedures to reflect changes in regulations is crucial. Additionally, investing in local talent who understand the cultural and regulatory context can provide invaluable insights and strengthen the overall security strategy.

By fostering a culture of continuous improvement and adaptability, brands can ensure their cybersecurity measures are robust and resilient. Cybersecurity in the retail and beauty sectors must be holistically integrated into the overall business strategy. This involves not only addressing current threats but also anticipating future challenges and adapting to the digital landscape. Successful brands will be those that manage to balance innovation, security, and consumer trust while adhering to global standards and regulations.