All right, well, welcome. And, let's talk a little bit about AI in retailing and starting with in the asset protection, loss prevention space. But again, the beauty of AI is it's allowing us to do multiple things at once and do things that can be dull, dangerous, and disgusting, and things like that. So, but it does things to give us a heads-up. And, so what I'd like to do is kind of look at the scope and scale of retail crime. Now, there's a little controversy out there, not with us, and not with the 94 retail corporations that we work with week in and week out, but with others. And part of the issue is, what's going on, is it measured, and how is it measured, coded, and used?
And there's a difference, and we all know this, between what law enforcement knows and the police and sheriff, they only know what a crime victim lets them know. And so it's tough, and our data show in our surveys that law enforcement only knows about 40%, maybe 50% of what's going on from a crime event standpoint. And that's what we're interested in, how many crime events, 'cause that's what leads to everything, all the victimization and harm that we all incur. But what we do, in addition to using official crime data, is work with the retailers themselves, and understand what's going on across their 0.3 million stores that we're working with them on, to understand what are they experiencing and what's happening.
Well, what's happening is growing in scope, in scale, and even in the life safety standpoint, it's becoming more dangerous and aggressive, and they can look at year-over-year growth, sometimes as many as triple digits. So it's an issue, it's a problem, and that means it's an opportunity. So we're going to talk a little bit about that, and I'm going to first turn to Mike Lamb, longtime friend and colleague, from the Home Depot, from Walmart, and lately from Kroger Company, to talk a little bit about what are you experiencing, what's that look like, and why is the big fallout for a little more technology, if a lot, not a lot more AI support?
Yeah. Well, thank you, Read, and it's certainly a pleasure to be with you this afternoon. You know, my experiences in 40 years+ of being in this space of trying to keep the bad actor at bay, in the last, I'd say 3-5 years, the escalation just in the epidemic of habitual organized theft has really astounded me, even for the years that I've been, I've been doing this. I was with Kroger initially, just to kind of step back a moment, from May 2017, and then I retired from Kroger in November 2020. So I was gone for about 18 months, ultimately, before I returned to Kroger.
I was astounded with what I saw in just an 18-month period with really what I would call the epidemic of organized retail crime. So for the Kroger Company, one of our main core values, and I'm sure it is for any retailer that may be in this room, is safety, life safety, right? So what we're seeing with regard to organized theft brings about today an element of violence that I've never witnessed in 45 years. I was talking to a dear friend and colleague, Ed Wolf, just last night. You know, years ago, bad guy take the stuff, and if you approach them, they drop it and run. Today, they dare you to do something about it. Literally dare you to do something about it.
You know, we have certain markets across our chain where this problem is worse than others, obviously, but it's led us to many changes, and perhaps I'll mention it later, about how we go to market to understand better the organized retail crime operator, and more importantly, how we leverage technology, AI. We have solution providers that support, but not solution providers, they're strategic partners. In this room today, I see a few of them that have supported Kroger over the years. In the absence of this technology and the advancement of AI and a lot of the works that, that's being done holistically, I would suggest to you that we'd be in a far, far worse place.
Some of the media, some folks say, "Well, is it really that bad?" Well, I've never been one to rely purely on emotion or eyesight, more on data and history, and our trending suggests to us it is indeed a problem, and it's a growing problem. We don't try to pinpoint it to a specific number, but we are like most retailers. We're seeing this rise in organized theft, and we know and realize we have to do more about it at the Kroger Company. And my organization that I work for today, I tip my hat because at the very top of the priority list is life safety. You know, we preach constantly there is nothing in that store more important than the safety of our customers and associates.
Any technology that helps complement that, helps mitigate that risk, is always going to be a priority for the Kroger Company.
Excellent, and I appreciate that, Mike. And life safety, life safety, we have the major retailers come through our labs almost on a weekly basis now to whiteboard, and that's where everybody's starting. We're at the major department store chain last night when Mike and his team were out in here a couple of months ago in the labs. Same thing, life safety, but it's always going to be about that experience and that outcome by the green and the red shopper, right? The good and the bad. Let me go over to you and maybe get a little bit of a, an understanding, Robert, what's going on in your realm, and how do you look at it? How's that affecting your business?
Thank you, Dr. Hayes. I just first want to point out this article that came out just a few days ago from the National Association of Convenience Stores, it's at convenience.org, highlighting that since January 2020, the per loss, per store loss is more than doubled, which is significant and why there's a lot of focus on this today, and then you can also see further in there, our article talks about the largest spending is now in technology and video analytics solutions.
So to kind of echo what Mike said, certainly there's top priority is the safety of the folks in the store, whether that's the associate or the customers. And so with that, with partners, like, like Mike said, in this room even, you know, we're looking at things that can detect slip and falls, detect crowds gathering outside the store, maybe at night, that the associate inside can't see, and other things. So, you know, I characterize the problem a little differently from some of Mike's earlier examples, like with Home Depot, Walmart.
In convenience, you know, you don't have groups of people rushing the store and arm sweeping 100 bags of M&M's. You know, it just doesn't make sense. But where we do see some of the problems are around fuel theft, and so, with computer vision technology, we're able to detect, help us detect some things that are happening to help prevent fuel theft. Also, we see some of the things around gift card scams and just regular theft through self-checkout, but we'll talk about some of those later.
So, I mean, what's interesting is they're very different experiences for each of your businesses. And, you know, at NVIDIA, we put out a survey recently and surveyed over 400 retailers, and what came back loud and clear is retailers are taking ORC seriously, loss prevention seriously, safety seriously. 35% have already invested in solving this problem and are continuing to expand on that. So I thought that was really, really emphasized just the criticality of and urgency around this problem. And then, Matt, I think you're also seeing.
Absolutely. So, Cynthia, I'd agree with you 100%. We're really validating the comments that you made, and we're seeing that on a daily basis with our customers. Look, we started out in kind of a decomposed pieces, parts, environment. We were looking at license plate scanning, we were looking at cameras, and so on and so forth, RFID tags, and things like that. Well, now we've got to look at it more holistically, and we've got to pull it back in and then pull it more down to earth, really working with partners, and you'll hear a number of the names up here today, Everseen and RadiusAI and so forth, where we're looking at that AI platform to try to control these bad actors. Now, in addition to that, though, we are adding a bit of complexity.
Spoilers, we can help you with that. Because, of course, we're gonna create a massive amount of data. Do you have a platform? Do you have a server world? Do you have an IT person who can manage that server? Or are you looking at doing something on the edge with something as small as a phone, right? So again, we're seeing a lot of these technologies really come to the fore right now, and in real time, we're realizing how we manage them and how we help you deploy them, and ultimately, at the endpoint in the store, how we assist your associates in making sure they can utilize them effectively.
Excellent. So, yeah, I wanted to go back to Mike real quickly. You know, we hear a lot about ORC, organized retail crime. By the way, our team had done a study for RILA, Retail Industry Leaders Association. I don't know if I'm allowed to mention them in RF, but several years ago, 20 years ago, and based on a ton of interviews across the country, we recommended let's change it to ORC because it's much more going on, right, than just stuff that can be organized in some way. Partly, though Mike and I have been talking about this with some other retailers in our team, we're also using coordinated crime, right? Because some of them are organized, some of them aren't, but they are definitely coordinating more and more, maybe before they get there and maybe not during there, and then sometimes after all the above, right?
So think about coordination of offenders that are looking at places to go, what they want to take, why they want to take it, how they're gonna take it, who's gonna work with them, and so on. Mike, can you tell us just an example, maybe, the difference between organized retail crime events or coordinated crime compared to, say, what you see all day in and day in, day out, opportunistic type thing?
Yeah. Yeah, well, thanks, Read. One of my personal takeaways and learnings in coming back to Kroger in May of 2022, that very month, we made a trip out to one of our markets where we had a significant issue with homelessness and drug affliction.
Mm-hmm.
And what we saw there was quite astounding to my team, to anyone that was not living in that moment as a store leader, as a store associate, as an asset protection team. Just this absolute blatant level and brazen level of theft. There was a period of time when we were there that we didn't walk into a store where we didn't see activity. It was very alarming and quite frankly, a violent behavior. So as an organization, we came away from that and said, "What have we learned? And more importantly, what are we gonna do about it?" And, you know, we had a very simple model of risk rating at Kroger. We still do. Simple, not in the fact that it's not effective, but we don't have 16 levels of variety of risk ratings.
We simply have low, medium, high, and max. But we walked away, Read, and team, with some learnings that there's another group of stores that we dubbed extreme, extreme stores, because they're just that. In many cases, these are stores where our position was we have to take our stores back, and we knew that we could only get there through two things, people and technology. And then the other learning is not all shoplifters are created equal, right, Read? I mean, for us, we used a very simple model to say we have a level one, a level two, and a level three in the organization. The level one is the more where temptation meets opportunity. It's kind of the more spontaneous theft that occurs in the business, and we've got great solution provider partners that help us mitigate that.
We had another characteristic, was mobility. How mobile are these people? What's their ability to get from one store or one area or one market to another? And then third, and finally, most importantly, what was the propensity for violence? What was that propensity for violence? Because I've said it before, I'll say it repeatedly, nothing in our store is more important than the safety of our associates and customers. So we created a fifth tier at Kroger called Extreme. Thank goodness we don't have a lot of them, but they're out there. So, as you look at level ones, more the low-level, first-time offender. Tripwires that we have in the store, anti-theft, Benefit Denial tools work. Level of violence, potential for violence we see as low or, at the very best, medium. Mobility, well, they're all over the country. We operate a lot of stores.
Total loss in the shoplifting bucket, we think, is somewhat minimal to the other two. Second level, and I've talked about this, and we did at your LPRC impact meeting, is the more coordinated and organized. They may limit the number of boosters because boosters can reveal the head operators, which lead to problems for prosecution for them. So you got the level two, very well organized, plan their stores, know where they're going, have their shopping list, have teams at the track. Mobility is significant. They could be running the I-95 corridor on the East Coast. They could be running the I-75 corridor. Well-organized, very efficient. Characteristics related to violence, we view as medium to high. The reason we say medium is they're very well organized. They think about this.
We've had them come in and speak to our AP team, some of these people that have converted. But we say medium to high and high because maybe some of these folks have been arrested a few times. Perhaps they have a criminal record. This next one is gonna be the one that may result in some significant jail time. So there's no absence of violence there, but there is a violence component. Then we have level three, and for us, that's more, unfortunately, the drug-afflicted, the homeless. We see them with limited mobility, and you probably know what markets across the country I'm talking about. Every retailer in America, I think, faces similar issues. The violence level, potential propensity, we see as extreme. Extreme.
So in these stores, we've set up an extreme store strategy, and we're doing a number of things within those body of stores that say, "We will take our stores back. We're here to do business. We're a grocery store, and it's not — it's gonna be business as unusual in some of these stores, but no longer are we gonna allow that population to rule our stores. We will, we will, we will take this bull by the horns, and we will leverage technology. We'll use things like AI." We use a number of vendors in this room. We have Camera Towers that I'm happy to discuss offstage. We have the Everseen technology at scope. And we've created what we're calling an elite guard.
You know, guarding in retailing can be complex, and this is not just about having a guard, it's about having the right guard with the right equipment, whose job it is to make sure they safeguard our stores, first and foremost, from a safety point of view, and then secondarily, from a shrinkage point of view. We're on that journey. We've been on that journey for about six months, and we're very excited about it. We've got great senior leadership buy-in for this program. We've got great solution partner buy-in for this program. Don't let me get too expansive here, team, but 'cause this is kind of my passion.
Yeah.
We're looking at this thing, and I heard you reference it earlier, this ecosystem. So how do we take our great strategic partners, like Everseen, like LiveView Technologies, like Purchek, like Auror, who I see in the back of the room? If you miss these guys, I don't know how you could. They're wearing the big yellow shirts. But how do you stitch that together? How do you integrate that in such a way that that becomes a force multiplier? Every one of these solutions adds value to our organization. But to the extent that we can have sort of a spoken hub and a data aggregator, and we're feeding that information in on the very value-added return that we get on these investments, now it becomes more of a value proposition for the organization. So we've been on that journey for a while at Kroger.
We're very excited about it, about outstanding senior leadership support of it, and, if the passion's not coming through, it probably won't. That's, that's a real big one for us. There's a gentleman on the front row who's got a, a widget or a gadget. Probably won't show it, but it's really about exploiting technology, right?
Mm-hmm.
Let's test, let's learn. If we fail, let's fail fast, and let's keep moving. I've always been a strong advocate for that.
Perfect. So let's now leverage. We've talked a little bit about the scope and scale, the damage, the impact that's going on from the theft, fraud, and violence out there. Look a little bit at theft primarily, but we're also interested in violence, right? The mass attacks you see, whether it's in Philadelphia with looting, multiple stores are shut down and will never open again, those neighborhoods— They're out of luck now, right? They've been affected as well. We're also talking about what we also, I would say, Nordstrom one and two, mass attacks there. Individual shooters, right? So we're working on active shooters. We've got things going on in the works right now, but we're gonna talk about leveraging AI, because we can use it for both of those extremes, but we're also gonna talk about how.
So Cynthia, if we can kind of take a look at how we're thinking about the world, how things are being implemented, and in our particular ecosystem, and really this is about a 23-year-old, 24-year-old concept, evidence, research-based, in peer-reviewed journals and so on, but we all use it in the industry, these retailers that are here. And really, at the end of the day, a crime of attempt, event, incident, starts with an individual or maybe a crew of individuals that move through place and time, and they victimize, right? Their decisions may have happened in the moment or could have been over months or years, but they have to move in place and time, whether they're working there or visiting or otherwise. So it helps us, though, create and understand aiming points. Think of a cancer cell, a virus.
It has to initiate, and it has to progress, and it has to progress in steps or stages. It's not linear, they go all over the place, but they have to, and they're, they have to kind of check some boxes. Those are aiming points for us to sense them, to affect them, and to coordinate to do both of the above, of the above, right? It gives us a logic model. That's what science is. It's a logic model and evidence or observation. So Cynthia, next one.
Yeah.
What we've done now is we realize, too, not only does this person have to move there and do something to harm us, to victimize us, but unless they're caught or killed during the event, they're moving on. They're moving on, and those, we want to think about what happens before, during, and after that point. Again, opportunities for AI, right? Whether it's visual, digital, Auror, textual, that's how we look at the world. And whenever we have retailers in, whatever we do with all our research, everything is aligned. Okay, where does that fit in to detect, affect, or help us connect in this area? So Cynthia, if you go to the next one. Now, again, if it's a serial offender, and there are millions of serial offenders, they're coming back, or they're going somewhere else, right?
So what we didn't prevent the first victimization, that first instance, but what we collected, again, leveraging AI and so on, might be helpful either in the next moment or over time to prevent and safeguard a victim, too. Does that make sense? Again, the victim could be a person, place, merchandise, money, whatever, but that's how we look at the world. And this logic model is how all of us come together, line out everything that we're doing, and trialing, and have what's called in the profession common operating language, right, Francis charges. So, which we have a lot of that, too. So that's kind of how we align what AI play, and that means what signature or signals are we looking for from that offender, that crew, that we need to pick up on? What sensors do we need to do that?
What AI models do we need to use to maximize that, and then how do we get that to the right people at the right time to make the call? Still, no matter what the AI play, human still makes the call, right? AI is giving us a heads-up, and the more sensors we have telling the same thing, the better decision that we can make, okay. So that's just kind of framing up from that standpoint. There is a method to the madness. We're not just hopefully just doing stuff. We have kind of a model, so we're all kind of working together. And at LPRC, you know, with 240 corporations, we can get some stuff done, and that does include all these retail associations, all the law enforcement agencies, P&G, and the other manufacturers, right?
We can get things done, but we have to have this model, and so whether we're meeting with Mike and his team or anybody else, we can do that. So thanks. That's just showing affecting offender choices, detecting them, and then connecting within a company or within a store, within a company, between companies, between companies and their law enforcement partners. Yeah. All this happens in an ecosystem. Just give you an idea also how, what we can do. We have six really cool interior labs, one that is an amazing store set up, with 300 technologies in there, by the way, but we also need to work in the wild, not just in a store, but with groups of stores. So we have stores that are co-located in enclosed malls, open centers, non-shopping centers.
In this case, on the east side, Walmart, north side, Family Dollar and Dollar General, Advance and AutoZone, Circle K and Wawa, Walgreens, and so on. How do we help them individually get better? How do we help them work together to get that community immunity that they need? And then you'll notice red dots there, by the way, are what are called crime generators, attractors, maybe even a radiator, liquor stores, bars, right? What happens at your place, again, to start, may not end there, but it's also largely affected by what's going on around the world. So we're working with sensors outside of that particular res-- that place that we're interested in protecting within that place, but between something that can inform all the places, right? And maybe in a moment or over time. So that's that method to the madness there.
Yeah. So, you know, Robert, we didn't hear from you as well, and I know you have put a lot of thought into what you're doing at Jacksons Food Stores, and what the problem is, 'cause your problem is very different than Mike's problem at Kroger. You have a different environment. Can you give us a little information on that?
Sure. So as I mentioned earlier, you know, we don't have the same type of problems as big box stores. A lot of ours is around fuel theft, and, and we're leveraging, you know, RadiusAI, along with Lenovo and NVIDIA to help with that. That's kind of our partner ecosystem. But some of the other things that I alluded to earlier, such as, gift card fraud, that's, that's the whole reason I, I actually started diving into this, is we were having issues with, gift card fraud, people calling up the stores and, doing social engineering and, and trying to get gift cards activated.
And so was looking at a product called InStore AI , and I believe they're here at the show as well, where it's listening to certain keywords, and when we were hearing certain keywords about activate, you know, a number of cards and things like that, that could tell us in real time that, hey, perhaps a theft is going on, and looking at ways to stop that from even at the easiest way is, like, dropping the phone line, so it just cuts them off. So, you know, things like that, the scanning, the self-checkout, we don't really have as much problem as somebody like Mike at Kroger, where people are taking product and scanning something else, because everything's real close, and the cashiers are there.
But, you know, I think part of the big thing is that we need to keep in mind, and Matt alluded to this, is making sure the ecosystem is consolidating all this data. 'Cause there's a ton of data that we now have the availability to, and we're just gonna overrun the operators, and they need a way to consolidate this down into something actionable, like, "Hey, here's five things you need to look at," or, "We're seeing trends," and sometimes some of the generative AI, AI or the artificial intelligence can help us determine what those trends are and give the operators actionable information so they can go and be more proactive rather than reactive.
Excellent. So let's, I wanted to talk a minute about self-checkout, 'cause we don't wanna just think about the inbound, we wanna think about the outbound as well. Mike, can you talk just a minute about what you experienced at, I don't know if you wanna say Walmart, but certainly at Kroger Company, before you started instituting that AI on the front end? And we talked a little bit about this outside, some of the adaptations that were made there behaviorally to help better impact and better safeguard your associates.
Yeah. Well, first and foremost, we love self-checkout at Kroger. It is, it is what we do, and we, we will continue to do it. But we also know there's, there's individuals that take advantage. I mean, and I know I'm preaching to the choir here. But what we've learned over the years in working with our solution partner, and the great work they're doing in that space is, there's the evolution of change. You know, initially it was just skip scanning, right? Just whether purposely or not, the items were getting bagged. And look, we're in the business to sell groceries, so if not—if you're not scanning it, you're not selling it, and you're shrinking it, so it's a bit of a double whammy.
And then, as you know, and I'll use the words of the CEO of this company, as we slap them in the face a bit on, "No, you can't do that," then they adjust behaviors, and they start coming out wider around the scanning bed, so we have to come out wider with them. So, and then from there, we introduced ticket switching. And I've got videos here that I'd like to tell you they're entertaining. They're really not, but I guess in some respects, you'll find some humor in them. Somebody will get a pack of Kool-Aid, right? And you know this, Chris and Keith. Put it over a $100 brisket, and you got a Kool-Aid flavor, a $100 brisket going out the door for $0.79. So then there was the evolution of ticket switching.
So as we dialed that in and got efficient and took the small percent that were taking advantage, it's sort of that little number times a big number is a big number, both in sales and shrink. Then they and we smacked them there, and then they said, "Oh, I'll just leave it in the cart." So now this solution provider, they're in the room, said, "We're gonna give you cart base loss." So to the extent that that product remains in the cart and is never even introduced at point of sale, and our own mystery shops told us we had an opportunity with that, they're now capturing that basket. And it cues that self-checkout clerk over to that robot, the self-checkout unit, and we literally show the video in all these matters of the item in question.
So it's no longer the Easter egg hunt. There's been some critics that say, "Well, well, you're really slowing down the customer." We think we're speeding up the process. You know, there's been weight scales in the industry for years, a lot of friction with that. We think we're optimizing the experience, and goodness knows where we'd be on shrink if we didn't have that technology. So, and that's what we look for, Dr. Hayes, and our solution providers. How can they help us think and look forward to say there's a bit of a shelf life in what you're doing, and you need to constantly reinvent yourself. So that's, you know, that's one point, and then, then the ecosystem. And I'll reference self-checkout.
I do believe in what we're seeing and witnessing day-to-day at Kroger, you're getting more coordinated theft through self-checkout. 'Cause it's a bit the guiltless crime, is it not? Just blame it on, "Oh, sorry, didn't realize I didn't ring it." Whatever it is. So if you look at these coordinated teams of organized operators in theft, self-checkout is the land of opportunity. So we got to stay a step ahead of them, and we're gonna accomplish that through AI and with our teams. Now, let me add on: We're concerned about safety. We want our store attendants safe in the course of doing their jobs.
Yeah.
And we'll opt over safety for them than we will more so the prevention of Read going out with that brisket. But, but it's important that we do both. We mitigate the safety risk, and we look at the loss impact to the organization, and, and the opportunity for missed sales. So, and then you think ecosystem. So how do you take these red actors that we so commonly refer to them as, and how do you connect them to something else that's a solution in your store?
Like, LiveView Technologies, where we have towers that are software-driven. We literally had we stitched together sort of with bubblegum and Band-Aids in the beginning, the notion that if we trigger a gatekeeper or Purchek system at the door, that tower is gonna pan to the door, zoom in, and give us the image of that individual or individuals and where they're going.
Mm-hmm.
If they get into a vehicle, to the extent that we wanna leverage license plate recognition, we're now starting to create this integrated ecosystem that positions us much better. I was at a conference recently, Read, I don't know if you were there or anybody on stage was there. I'm sure some of the audience members might have been. We had two attorneys general come in and talk about: "Look, you know, we care about ORC. We wanna be more involved, but the things you're doing with AI, machine learning, and technology that allow you to better package a case, make us more efficient in assisting you." So rather than they have to do a lot of the investigative work, the retailer themselves is doing it for them. So it allows for you, you're more nimble, your ability to prosecute these bad actors becomes much more efficient.
So that's a lot of the work that Kroger is undertaking, and that work continues. And I just wanna make one final comment here on that. The collaboration that we're seeing today, in my 40 years+ doing this, across retailers, across law enforcement a cross many of the cities in which Kroger operates, is growing in a much favorable way. Still a lot of legislative work to be done. I think we all recognize that. But there is the coming together of the retailers for the common cause of life, safety, and safeness. And then how do we eradicate this organized problem? Because we all know it's got a very egregious underbelly, drug trafficking, human trafficking. So it is the challenge of the day. But again, I'll repeat, safety first, a shrinkage thing second.
So, and I think you set the stage, too. Interoperability, more and more, whether we're talking with Bunnings down in Australia and New Zealand, too, obviously, throughout the United States and Europe, we got to be integrated, integrated, integrated. We can't have all these disparate things. We wanna align, integrate them for maximum effectiveness. You know, go from that mono to poly treatment concept. But going back, how can we know a threat's coming our way? Can we look at things online, texting, other things, that there are threats going on to indicate somebody inside or out is coming to harm us in some way? That's worked on the parking area.
Knowing that that vehicle that's now hit two or three other sites is just pulling up to and entering our parking area and understanding that sphere, to give, again, our manager and the team another few seconds, heads-up in that case, detecting certain weapons, screaming, you know, obviously, tires screeching, glass breaking, metal banging, things that might be significant, yelling, and so on. Those are important AI plays for us way before they even get into that zone three, the interior space, as they transition in. Again, the same thing, we are trying to leverage AI, and I thought you wanted to show maybe a quick example.
Well, I actually think Robert has some interesting examples.
Yes. 'Cause Robert, you're dealing with gas drive-offs, and you're dealing with tankers pulling in, right? And fuel stops are retailers that deal with that. But anyway, let me. Can you take us through an example here?
Sure. This— what you see here on the slide is one of our fuel islands. We can, with computer vision, see vehicles. We can look at each dispenser. There is LPR, so we can get license plates. And we can see, like on the screen here, you see pump 11, occupy faults, active faults. But when somebody engages the dispenser, puts the nozzle in and starts it, it will switch to active. It starts a timer, so we see how long the nozzle's active in a vehicle and fuel's flowing.
So why that's important is, you know, for fuel theft, if somebody has a specific type of vehicle, it maybe has a bladder in it, and taking more than the amount of fuel that should be required for that type of vehicle, it can set off an alarm. And even with the right integration, we haven't done this today, but it can even shut off the dispenser, so that the fuel will stop flowing. It can alert police department, law enforcement. We have the license plate. And even more importantly, in the next slide, we see right here, it'll identify different types of vehicles. So the important thing there is to realize, you know, gasoline weighs about 6 pounds a gallon, and diesel weighs just over 7 pounds a gallon .
So if somebody's gonna come in and steal 400 gallons or 500 gallons worth of fuel, they can't put that in a Toyota Prius, right? Because it just, it won't hold it. The weight is too much. But if they have like a Ford F-250, F- 350, something like that, that they can hold that much weight, then you know. So it, it could just be, you know, a Prius is pulling up, we're not so concerned about it. But if you have a very large truck pulling up, and they're there with the dispenser engaged for a certain amount of time or over a certain amount of time, then, hey, maybe something's amiss. We can alert the people inside the store. You know, make sure to preserve the, the video camera footage, things like that.
Alert law enforcement if it's a repeat offender based on the license plate. So this is just one example, you know, using technology that's available today. The first slide that I showed, that was. We didn't change anything with our cameras. That was existing cameras that we had at the location, just pointing out at the dispenser. We didn't even align it correctly to capture all of it. We just, we were just doing a test with the folks at Radius, and, that's what we came back with. So it's available today. It's relatively, you know, cost effective, and so it can really help.
Because when the problem we were seeing when fuel in certain parts of the country were hitting $9 a gallon, that's when people got creative on figuring out how to steal fuel, whether it's from the dispenser or maybe parking a truck over the valve where the fuel gets delivered, and taking it that way.
Yeah.
Yeah. We could spend an hour on fuel, right, Rich? So we, we actually have law enforcement, too, in addition to asset protection, loss prevention practitioners in here. So that's giving you some idea of some of the issues. We can, again, go on all day on a whole bunch of other ones, that's for sure, and all the variations, but that's some of the plays. There's a lot of opportunity out there, and we're gonna talk a little bit about partnering-
Yeah.
Partner for the future.
Yeah, and, you know, what I will say is the technology is maturing so quickly, right? What you looked at even six months ago, a year ago, it's completely different now. Computer vision, video analytics, now with generative AI, the ability for, to leverage artificial intelligence to interpret that video content from a human perspective to is it's just rapidly growing. So partnering, you know, is really the, the key thing, and it's really, it's a community aspect of, of partnering for the future. Let me go ahead and, and move forward. We all need, we all need to chip in. You know, the insights that you have, every retailer is gonna have a different scenario. You're selling different things, you're in different environments, they're all gonna be different.
We all need to understand those nuances, work with, work with your technology partners, those independent software vendors, and also, quite frankly, with LPRC. NVIDIA and LPRC have joined together because you've got a great community of retailers, you've been researching for so long, you have that understanding and knowledge there. For NVIDIA, it's, you know, how do we bring the right partners together? We work with hundreds of independent software vendors. How do we start to bring the building blocks together, start to create an ecosystem to then continuously expand on that? Because no, no one software vendor is gonna nail all ORC, right, in all scenarios.
So it's really about that hub-and-spoke, Mike, that you talked about, creating that backbone and starting to work with companies to bring together and build that solution and start to work, you know, and partner together, while, you know, still maintaining their IP, right, and the safety of their, you know, their software IP, your IP, your information, right, that needs to be secured as well, and start to really expand on that. That's the key thing.
Yep, absolutely.
Yeah.
So we're excited about that partnership, and, that's gonna be—y ou heard Mike talk about first, it's, bubblegum and, you know, baling wire, trying to pull things together, and you get better, and you learn, you know, it's all about adjusting and learning, just like the red actors are adjusting and learning constantly with each other. So we've got to do the same thing, but learning how to integrate all the organizations without, like you say, damaging IP situations.
Yep
So if anybody's interested, we'd love you to get in touch with us, any of us on the team here. I think I wanted to go back over to the Lenovo team, Matt.
Right.
What compute, you know, compute's getting better and better, obviously leveraging the GPUs from NVIDIA. But what are you guys doing to get bigger, stronger, faster, in your case, smaller, quieter, faster, and more powerful? Because we deal, all of you, with tiny boxes in our organization, all the way up to mega centers, and so different horses for courses, as our British friends say.
Right. Of course, I promised the panel that, as somebody who deals in a lot of cases in devices, I wouldn't talk about CPU, GPU, NPU. So I'm sitting here listening to the amount of bandwidth and the amount of storage and the amount of complexity that's gonna require, and just rubbing my hands together. But let me pause for a moment. No, you know, obviously, the things we're talking about are going to require a tremendous amount of technology. The platform is going to be critical. The ability to run multiple outcomes on a single device is gonna be absolutely just part of our DNA in this part.
But what I still want to return to, in spite of that, and that sounds like a lot of complexity, and it sounds like a lot more expenditure, a lot more overhead, a lot more difficult. Now, what I want to get back to is, look, we're here to help you simplify this. We're here to help you deploy. We're here to help you manage, and ultimately, we're here to help you at the endpoint with the associates, whether you're dealing with associates in a store of 1,000 people or associates in a store of three people. That's what's gonna be most critical to us, and that's why we are entering into the kind of partnerships we are with NVIDIA and with these ISVs that you're gonna speak to. Ultimately, is it gonna create a lot more opportunities for folks that are primarily in compute?
Oh, yeah, absolutely it is. But again, let's get back to what that ultimate outcome is gonna be, and let's get back to making sure that you can utilize AI in your environment. My final word on this would be, look, as Lenovo, as a manufacturer, as someone who owns our own supply chain, owns our own warehousing, we have a tremendous amount of intellectual property that we have, and we want to share with you.
Mm-hmm.
Yeah, and we get just from our standpoint, Cory and our team, we're behavioral scientists, right? We've got a psychologist, too, which is behavioral scientist with us. So we were doing biweekly calls with NVIDIA people, and we worked with Lenovo people and others, and I'm in the College of Engineering, but there's no way I'm an engineer or computer scientist. So leveraging that expertise and technology, you know, what's a GPU? No, but what are- we need to understand those things like you. But— And I talk about the servers. I know the ones that were donated in our labs went from sounding like two 747s starting up, and the entire building need to be abandoned, to now we've got small— just as capable, computers in there, processors, servers, is what I'm looking for.
So, I wanted to bring that part up, but I want to really quickly go over to you two guys, 'cause that's the other part we want to touch on. Okay, you've got use cases, you've got this. A lot of ground's been plowed, people are learning lessons, how do you do this or that? You know, maybe let's go, first of all, I think it's really neat, real quickly here to you, Robert. In your organization, you have that role, so you understand tech probably better than Mike and I, times two combined. But, sorry, Mike, but I would say, how did you, how did you adjust, adapt, and get this, the capital and the resources to make it happen? I mean, in brief, I know, but-
Yeah, so that's an interesting question. So I think for us, the key is finding the value proposition, and so looking at computer vision from a number of different fronts, from loss prevention obviously is one, but also from how it can help the customer, and how it can make our associates more productive. You know, we're combining the same technology to look at our food offering and to see how long something's been out on the roller grill, or if something's missing. If, like, we're out of pizza and it's lunchtime, it can send an alert to somebody in the back room saying, "Hey, bring out more pizza." So taking that and leveraging it with the same type of stuff of the example I used at the fuel island.
So it's the same technology from the same company, can be used for multiple things, which really helps on the ROI. So that, that's probably-
Okay.
-the best.
Making it a priority and getting the right people. Mike, anything to add on that? How did you get that through the capital committee, or did you have to carry that water? Did somebody else do that, or, or it was a team effort, I guess?
Well, we've got, we've got a great partnership with the Kroger technology team, back in, in Cincinnati. T hey listen to us, we listen to them. So that's an important step. And, and, you know, you have to, you, you can't lead with emotion. You, you know, you gotta come in with factual data that says this is the issue.
Mm-hmm.
The business has to agree and align that it is, and then we bring the resources to bear, to address it. I will say, public shout-out to you, Dr. Read Hayes, and the Loss Prevention Research Council. I can't tell you the countless times we pressure test whatever it is we're looking to do, through you and your team to make sure that we're on the right, right track. I think there's mutual learnings there. And as I said earlier, I think more and more retailers are coming together, with the best ideas that are in the best interest of everyone, not, not just that particular retailer.
You know, there used to be the old saying, "You don't have to be faster than the bear, just the other guy or gal." And I think more and more that that paradigm is shifting to, let's go at this all together.
Yeah.
And so when you think about your strategic partners and your solution providers, you think about the folks that are the underpinning of that, our IT departments, our legal teams, our privacy teams, all very important players in that process. And, you know, as you see capital funding, I mean, you have to demonstrate there's a need, right? You're not gonna get an open checkbook. You have to, you have to show the problem, you have to demonstrate the size of the problem, and you have to lead with fact, not emotion. And, and I think that's how you stand yourself up for success.
Yeah.
Okay. I can tell you one thing we've learned as a group, is getting the protocols, how are you gonna use this from the corporate level down and up, and back and forth, is just as important as the tech stack and integration of technologies. And then having that roadmap too, for both. "Hey, we're gonna have to adjust and evolve what we do, but how we do it," and we found that, we call it in criminology, dosing too, right? Where do we put this deterrent? What does it look like? How many do we need? How do we keep it current? Should we prime that, prime the pump with signage or other things, right? There's all these dosing questions, and I think it's the same thing here. So that would be one call-out we've learned is protocols. Get the process down.
Well, and to piggyback, Dr. Read, or Dr. Hayes, one of the things that I think each of you talked about was really that long-term vision.
Right.
Right? You're gonna start with one problem, right? It's this, and you're gonna use, you know, work with a software vendor, develop in-house, whatever it might be, solve for that problem. But think about future-proofing. You know that down the road, I'm gonna solve for this problem, then I want to solve for this, then this scenario, then it's that scenario. And so think about from a, when you're going in for the budget, when you're going in for, for planning, think about it from a, "I want to solve longer term," and, and build that into the plan. So often, you know, we see retailers, they say, "Okay, I'm gonna do this, this particular solution. I'm gonna install this particular software, right, in my stores." And they do that, and then they go, "Now I want to expand.
Well, I didn't think about expansion. So just build that in. If there's one piece of advice I can give you, is think about the long term, think about that vision of where you want to go, and plan that in. That'll make your life a whole heck of a lot easier, instead of having to go back-dip back in again and go. Oh, and by the way, now I've got to replace everything, and I've got to, you know, I've got to expand out." So consider that future perfect.
Well, I wanna build on that just a little bit. You know, you think about technology, AI, and everything we're doing to try to introduce this to help protect our associates, customers, and increase the profitability of our organizations. You know, I think it's extremely important that those technologies be allowed to touch other things. I mean, the mantra at Kroger is, "Full, fresh, and friendly." So if we can introduce AI or any technology that enhances any one of those three priorities, better in-stock position.
Yep.
I mean, imagine, if you will, the Everseen technology. I'm scanning Kool-Aid for a beef brisket, while my balance on hands, my inventory management, is immediately negatively impacted by that. So I think the more that you can go to market, so to speak, with your respective organizations to say, "This is gonna help us on many fronts. It's not gonna touch just the shrinkage piece, you know, I would tell you the life safety is priceless, but it's not gonna touch just the shrink part, but it's gonna touch the customer experience.
Mm-hmm.
Because we're all driving, you know, for that customer, and we're all driving for that customer's wallet. So, if you've got a technology that's got a higher ceiling, you're gonna have a lot more success in pushing it through your various, financial models, that your company sets up. And I think ideation, Ed Wolf, the gentleman here on the front row, he came to see me in Portland, he came to see me in Atlanta, and said, "I've got an idea on how you can shine a light on your level twos." And I said, "Well, tell me more." And, you know, these protective, devices that audibilize have been around for a long time, and I'm not saying they're ineffective, but he's added, what I've affectionately referred to as the bubble.
So if I've got somebody taking, you know, six of these tags off a Tide item in the back corner, because it's a great place to discard those things, I got a signal being emitted in the gondola that says, "There's activity going on back there that is inappropriate." So if you think about these level twos, and to some degree, the level ones, shine a light on them, and that's what we're trying to do with technology. I wanna put you under the bright white light, and I'll coin a phrase, by Mr. Hayes here: see it, get it, fear it.
That's sort of been the mantra of how you've gone to market with your research study, the work you and your team do, because, you know, I'll go into some of our stores, quite frankly, and you'll see a public view monitor that on its face, you know, there's an effectiveness about it, but it's 20 feet in the air. I don't know how many times, reading that, I couldn't find a restroom 'cause it was too high in the air, the sign was, you know? So it's all about the science of how do you make the bad operator, the bad actor, see it, get it, and fear it.
Right.
It's very easy to voice that over. It's a little bit more difficult to achieve it. But to the extent you do, you're gonna be ahead of the game.
Yeah. Their heads are down. Who knows what they're experiencing in their head-
Yep, yep
... or their eyesight or their intellect. But yeah, so we have our work cut out for us. And I think, you know, at this point, one thing, too, a call-out, we're always looking for real video and other footage, other datasets, real-world datasets, synthetic datasets, right? That everybody can build models together with us and whomever. So the more we can do, but also subject matter experts, I think you know that. You may have this amazing dataset, but do you—how do you really recognize what that you should be recognizing with your model? That's where people that have seen it, done it, been there. 'Cause somebody said, "Well, I want a shoplifting model." Okay, I mean, we could talk about what are you stealing, who's stealing it, and how many are stealing it, what are they using to steal with?
And, there, you can imagine there are thousands of iterations of somebody taking something they're not supposed to, without paying for it. So just another call-out that, it can be done, but it really, sometimes you've got to do a little bit of homework, right? What are we looking for? How do we annotate or label it? And things like that. Things that Cory and I spent a lot of time with our computer science friends figuring out. They figure out, how do we do this, but we figure out what they should be doing that with. What are those specific behaviors that we're looking for? So, but we have now models in our labs that people will put in that are picking up clear liquid on light floors, some of these holy grail things.
There are models that some of you guys have or you're working on. We'd love to know about them. Reach out to us or anybody else, let us know what you're doing, and work together. Any last thoughts from this team?
I would just say, to the point earlier, just, you know, plan for headroom around whatever you decide to do at the edge, 'cause, you know, the technology's evolving, and there'll be more and more things to add at the edge, and so you don't have to go back to the well and get additional hardware at the edge. So— Or buy something that's modular that you can easily add on to.
I'll just say thank you for being here, and, you know, this is a team sport. It takes a village. It takes all of us when we think about this problem, so it's a privilege to be here for me.
Yeah.
Okay, well, again, thank you for joining us. The one plug, if I may, I'd like to put in is please do stop by the Lenovo booth and have some deeper conversations with us about some of the things we've talked about today.
Yeah, and I would say a number of the ISVs that we talked about today, the software vendors, are in Lenovo's booth, or they're here. They're definitely here at the show. Please go visit them, learn more about it. And to Dr. Hayes' point, if you're interested in collaborating and you wanna be a part of it, please come see us as well. Afterwards, we'll be up at the Lenovo booth for a while. You've got my information, you've got Dr. Hayes' information, our names. Go ahead and reach out to us. We're always looking for more information, more collaboration, 'cause we can't do it alone. None of us can do this alone. We all have to be part of the solution. So with that, thank you all very much for coming.
Thank you.
Thanks, everyone.
All right. Good morning, everyone. Thank you so much for joining us today. We appreciate that people are still filtering in from the keynote sessions, but we're excited to kick things off with you today at our Big Ideas session. So, my name is Wendi Whitmore . I lead Unit 42 at Palo Alto Networks. For any of you who may not be familiar with Unit 42, we're really the eyes and ears on the ground. So we conduct investigations, we have threat intelligence analysts, and then we've got threat hunters all throughout the world who are working on behalf of our teams and all of our clients in a variety of spaces throughout the world.
So with that said, I'm really excited today to have this outstanding group of leaders who have so much industry experience that they're gonna be able to share with you today. So, Carrie, I'd love to kick it off to you first and have you introduce yourself and tell us a little bit of your background.
Great. I'm Carrie Tharp. I lead up strategic industries at Google Cloud, looking after all of our customers across a range of industries, but my background is in retail and consumer. So I spent my career as chief digital officer, chief marketing officer, brand president at places like Neiman Marcus and Fossil Group. So I spent a lot of time thinking about protecting my payment systems, my network, my customers' data. And at Google, I work with our teams to bring the best of our capabilities forward to customers like Kroger and Ulta to make sure that their innovation roadmap is safe and secure.
Great. Thank you, Carrie. Really looking forward to your perspective here. And Nicole, would love to turn it over to you.
Absolutely. So my name is Nicole Beckwith. I manage threat operations for the Kroger Company, and within that team, we have threat intelligence, threat hunting, detection engineering, and insider risk and fraud. So a little bit going on there. And my background, I've been at Kroger about three years. Before that was in law enforcement, and did incident response and digital forensics for the State of Ohio and the Secret Service.
Awesome. Thanks, Nicole. Definitely looking forward to hearing what kind of threats you're seeing. Diane, over to you.
Good morning. I am Diane Brown, and I have the honor and privilege of leading the IT risk management team at Ulta Beauty. We're a team of about 40 people right now, and we cover everything except physical fraud and, I mean, physical security and fraud. Everything else, we do identity management, access management, compliance, threat intelligence, cybersecurity. You name it, we do it. I've been with Ulta for 16 years, and one of the things that our newest addition to our portfolio is, of course, cloud, and with the digital transformation and how that is coming into our organization. I think that's one of the things that I love to talk about, our journey and how we've gotten where we are today.
Awesome. Thanks, Diane. I'm definitely a big fan of your organization, so I know we're all looking forward to hearing more. So you brought up digital transformation, and well, let's start there, but I will say that there are so many aspects on the retail landscape that are unique, I think, to your industry, right? Relative to not only all the cyber criminal and digital threats we face, but certainly the physical threats that you have in terms of, you know, opportunities for shrink and everything else in the stores themselves, as well as online in, you know, the cyber criminal aspects of that. So we're looking forward to kinda touching base on a wide variety of those. But Carrie, let's start with the digital transformation, and I'd love to hear what you're seeing across the industry and then really what you see moving forward.
Yeah, so I think over the last decade plus, all of our experiences have become data-centric. And so it's no longer just about protecting payment systems and kind of your e-commerce transactions, but starting to think about how you protect and secure all of your consumer data across every new experience that retailers are looking to bring to the market. So that's where we see people thinking about classic threat detection, looking for those bad actors. But then when you expand to the physical world and the types of experiences there, AI is beginning to offer new opportunities, for example, in loss prevention. So being able to recognize with vision kinda common actions that are happening, aggregate that data.
We're working on looking at data consortiums to help across multiple retailers, so they can recognize patterns, so when they come to their store, they can address those appropriately, which leads to better customer experience. So I think all of us have been to a store where they're out of stock of something that might have been caused potentially by crime. And so making sure you're just meeting the expectations of all the great loyalty programs that, that are coming out, different promotions that you have, and ensuring that bad actors aren't getting in the way of that experience. But I'd love to hear from Diane and Nicole about the types of experiences they're thinking about as well.
Sure. So, it's interesting that you touched on the customer experience, right? Because first and foremost, that's what we care about the most at Kroger, and I'm sure Ulta Beauty as well. You know, both in-store and the digital online experience. The pandemic was a really good example of how we got to use, you know, cloud to accelerate that experience. And, you know, it was a really fast shift from, you know, in-store to have to scale at speed. And one of the ways that we were able to do that was through utilizing our cloud partners and resources such as Google.
So Carrie touched on the topic of data and how important data is, and it's very interesting over the years. I mean, the big thing back, you know, 10 years , 15 years ago was credit cards. You know, trying to get a hold of somebody's credit card in order to make, you know, fraudulent transactions. But now they're more interested, you know, in the loyalty, like you were talking about, getting a hold of somebody's loyalty points and being able to purchase products and commit fraud in those different ways. And I think one of the good things about the cloud and what we've done in the digital transformation process is we have ways now that we can actually make it better for the guest experience. So now they can go out there, and we can do buy online, pickup in store.
We can do ship from here , ship to your home, ship to door, store to door, we call it, when you want to—if you go in and our inventory is not there, and how we can get you—still get you the product that the guest wants. But because of that, we've had to take that digital transformation, and as a security person, as you know, it's one of the things that we always are afraid of, is taking that step into the digital world because we wanna protect that data. 'Cause, you know, as with all—you know, as you know, Nicole was saying, we always put our guests at the center of everything we do, along with our associates.
I think that's the biggest thing, is how do we take what we know and love today in the security world and use that now in this digital transformation process?
So, so Diane, I think staying on that topic, I'm really curious what you're seeing, like the benefits that you're identifying in terms of removing some of the friction to those end consumers, right? I imagine there's a lot of benefits in the digital journey, but there's likely a lot of challenges as well. I'm curious if you could share a little more insight into that side of your, your role.
So we just finished a platform refresh of our e-commerce system, so this one is very near and dear to our heart. We actually went live in August of this year, and that's where we're really trying to make a difference because, one of the things with our guest services department, when you, you know, the customer calls up and says: "You're not protecting my data. You had a data breach. Somebody got my loyalty points." And then you have to explain to that person, it's not that they got your loyalty points, your user ID has been in a lot of breaches, and the fact that, you know, the bad guys out there have your user ID, they have your password, and, you know, they're able to get onto our systems.
We've actually tried to find ways from a secure perspective to get people not to be dependent on people anymore. As we know, people are the weakest link to security, and so we're really focusing now on how we can do more to protect them, but not make them think that they did anything wrong. Because that's the thing, you don't want the friction, you don't want friction at checkout. And so we're really looking at how to make things easy from, like, when do you invoke multi-factor? Do you always have to invoke multi-factor, or can you make it when somebody's account has been compromised? Because we get all that. You know, from the— One nice thing about threat intelligence these days is you can get all that data.
So the business is actually at that point now where we're looking at those decisions and how to make them so there is less friction, but it's also been easier because more and more retailers are doing it, so it's becoming more of the norm. I think that was the biggest challenge from the friction side, is you don't wanna discourage the guest from that checkout, but we have to get better at protecting them because sadly, they're not gonna protect themselves.
Right. Such a challenge. Nicole, I'm interested in your perspective here relative to, you know, the landscape as it relates to groceries and, you know, all of that kind of platform that you guys are seeing at Kroger.
Sure. We see, you know, similar to what Diane mentioned, a lot of the account takeovers, and, it is because, you know— I hope none of you reuse passwords, right? Nobody?
No one here has ever done that.
I know.
But we do see that often. And, you know, we're trying to find ways with the multi-factor as well, to ensure that that data stays safe, but you don't have to log in every single time, because none of us like that. So using, you know, biometrics, you know, facial recognition, how can we enable two-factor authentication but not have to, you know, utilize it every single instance? What detections can we put on the back end? Impossible travel, for example. You know, if Diane logs in from Texas one day, and then she logs in from London in an hour, you know, are we detecting on those sorts of things? So it's all about defense in depth.
Obviously, enabling the business, enabling the customers to be able to shop the way they want, with the payment cards that they want. You know, do you wanna do tap to pay? Do you wanna use Apple Pay? So making sure that we give the customer those options, but make it an easy and frictionless experience.
Thanks, Nicole. Carrie, you've got a unique perspective, right, across from your previous experience working firsthand in these organizations, and now I imagine seeing across a wide variety of organizations in the space. So I'm curious, what are some of the more common themes you're seeing that these organizations are facing related to challenges?
Yeah, I think I'll talk a little bit forward-looking, and you guys can share a little bit about, kind of right now in the moment. One, I think you both guys both hit a theme of this dynamic tension between the desire for conversion and friction-free and security. So there's probably always the CDO sitting on the other side saying: "I don't want any payment friction whatsoever." But you have to do that trade-off of kind of what, what's at risk. At Neiman Marcus, for example, our promotional gift cards could actually have hundreds of thousands of dollars on it, so the risk was extremely high, and so we took that very seriously. And the end consumer often didn't even know when they were victimized.
Part of what we're looking into the future, from an AI perspective, is using generative AI in three key themes. So it's gonna help with talent, toil, and threats. One, the bad actors now are going to have more tools at their disposal to create challenges for all of you out there. So how do you stay ahead of that? Generative AI, first on that threat that I mentioned, is going to help you detect those threats sooner, so you catch it earlier into kind of whatever that issue being created is. Then on toil, generative AI, when you think about security workflows, can be very manual. You might not have all the resources to be looking at everything that your organization is dealing with at a given moment.
Generative will help you synthesize, summarize, and look at those threats and determine what to do. It also helps with the talent problem. You may not have all the resources you need coming into your organization, and this really democratizes the access to being able to deal with cybersecurity threats. When you're kind of using language models to simplify what's going on and shorten the workflow, your youngest analyst can now engage more like a senior analyst. How do you get your hands wet in those technologies? From a Google perspective, we have Mandiant and Chronicle that have been looking at automation for quite some time, but we're bringing new capabilities to market, like our security, it's called Sec-PaLM 2, we're now calling it Sec-LM. That's training on...
This is a data problem, so training on kind of the world's largest data set. We see everything that's happening to our customers, but if you also think about aggregate threats we see at Google, so we're understanding everything that's happening in Gmail. So trying to go in and access that information, and then use it across websites. I had to explain to my CEO at one company what daisy chaining your passwords were. He was like: "Oops, I obviously do that." And so understanding all of that, building it into the models, helps supercharge your own teams because I think it's almost exhausting as a security team, perhaps, to try to keep up with everything that's happening. And so how do you now use AI as a part of your team to protect your corporate assets and your consumer data?
Yeah, I think, you know, AI, obviously, is at the top of everyone's news and the top of mind. But on the generative AI side, we're really seeing a lot of activity on the attacker front as it relates to, you know, how can they social engineering better and more effectively their verbal, communications and written communications. And we've seen, a number of organizations where they're specifically targeting help desks and those type of organizations to be able to imitate legitimate users and then be able to get two-factor authentication and circumvent that. So, Nicole, with your background, in particular, on the threat side, right, and your law enforcement side, and the intersection of that, I think, is really nowhere greater than an industry like retail.
I'm curious, like, at the level, with which you're tracking threats and incidents, what's working, and, and what are you seeing in your— within Kroger?
Sure. Well, I think with AI, you bring up a great point. The barrier to entry is much lower when threat actors are using generative AI. So we worry about speed at which we can not only detect the attacks but protect against them, right? And so I think, you know, it's another tool in our tool belt to be able to utilize, to protect the company, even better. But, you know, you brought up social engineering, and, you know, we see that not only, you know, with emails, but help desk attacks and, you know, phone calls, you know, to the stores, to store associates. So a little bit of the intersection there between the physical and the cyber threats as well. But, I think AI is here to stay, obviously.
It's gonna be embedded in everything we do, and we just have to use it to further what we do as a company to protect. And, you know, developers, for example, they use it to write better code. You know, if I didn't know Rust and I needed to write something in the Rust language, you know, I can use generative AI to kinda help me out, right? So, with that also is the data protection piece of the puzzle. So how do we protect Kroger data so that it's not leaking into these platforms and into these models, and becoming part of the data set? So there's a protective, you know, aspect to that as well.
I think that's a really good theme because we haven't really addressed it yet, and a big question a lot of our customers have about your exposing your data to a lot of the models that are now out there in the market. So I think that's kind of a new area for everybody that's in the security space to be thinking about. I think there's a lot of press of companies, countries, various folks exposing their proprietary data into some of the models out there in the world. So thinking about the entire platform that your organization is using, even if it's related to topics that don't seem like they're something that the security team should be looking at, it's a new area to think about holistically because you certainly don't want any of that IP out training models.
From a Google perspective, we don't train our models on our customer data, so your interaction effectively with the models is private. That's not necessarily true as your teams and chief digital officers and data officers are playing with some of these new capabilities. So definitely, that's one of those new themes for everybody to learn about and, and kinda understand what the new risk is to their enterprise IP.
Oh, no, no doubt. I think, you know, organizations across every industry, right, likely all of us are struggling with how do our employees use AI in the sense of what data are they inputting into LLMs? Where is that data located? How do we ensure that sensitive data, right, is not - that shouldn't be in there, is not input? So I guess, Diane, on that note, before we kinda shift back to how you're, you know, reacting to that on a consumer basis, I'm just curious, from an internal policy perspective, how has the onset of generative AI been within Ulta and just getting your employees secure and ensuring that they're not, you know, inputting data that they shouldn't be?
I mean, I have the advantage. I am on the Gen AI Governance Committee, just because-
Great.
You know, it's one of those things where whenever you have a topic that there aren't a lot of people familiar with, they're like: "Oh, we gotta have a security person." "Gotta have a security person. We don't know what they're gonna do, but, gosh, we have to have a security person on there because we know they'll tell us what not to do." So, I think that was the first step. I think one of the challenges as an organization that we have, to your point, is—you know, they're so focused, like Ulta, we're really focused on trying to get it right at the beginning this time because we know it is our data, and if we do it wrong, it could be detrimental to the company, as with all of us here, you know?
And I think part of the challenge is—for especially retailers and somebody not as big as the Googles and the Microsofts in the world—is we have to try to get this group of people together. We get attorneys involved always because that's easy. A lot of times, that's the easiest thing to do. But we're struggling as organizations to get started. And as I always tell my team: "You're never gonna finish if you don't start." And so, you know, we're really trying to get started, and we've actually reached out to—w e had a conversation with Microsoft this week, and we've also reached out to Google and our account executives to say: "Can you tell us how you're doing it? Because you guys got it.
You're selling it, so you must have something that we don't have yet," you know? And it was really amazing with our conversation with Microsoft, how much they're willing to share, and I'm sure Google is gonna do the same, you know, when we have that conversation with them, but it's how do you get started?
Because similar to our journey in the cloud, and we were behind from a security—you know, from a security perspective. The business was wanting to roll fast, but we were behind, which we took a long time to play catch up. This is something you can't play catch up on. You have to get out there in the front of it. So AI has been around for a long time. You know, Siri's been around, Alexa's been around, you know. Everybody— I don't know if people actually put a label on it at that time, 'cause that's kind of Gen AI, 'cause you can talk to it, and it'll tell you what you wanna know. And so, you know, gen AI has been around, but now we've just made it a lot easier for people to, like Nicole was saying, train my developers.
Give my staff, "Okay, we're seeing this type of IOC, you know, and these are the IP addresses. Where should we put a block? What country should I block?" And, you know, there's a lot of really good tools, but in order for us to do that, we have to have that guidance up front. Because people are looking for guidance. They wanna know what they can and cannot do, and I think that is where companies are really struggling, is getting that documented and in place and educating their employees on how to get that done, right?
Just to pivot off that for a second as well, too, because, you know, just walking around this conference, almost every booth has a reference to AI, right? And so we know it's out there. We know it's there to stay, b ut now I feel like this year is the year of show me the value, right? So we know it can do all these things, you know, with HR and business processes and, you know, we can help the supply chain and, you know, endless number of things that AI can do for a business, especially for retail. But what is the value, and how do I implement that, safely, securely, and enable the business while also protecting it and the data, the data that's in it as well?
Mm-hmm. I think that's a theme I didn't mention earlier. We see a lot of our customers starting on internal use cases first, so it gives you kind of a safe, secure environment to test out generative on kind of internal associate chatbots, on your core functions, in the security space. So then those governance councils, or however your team has kinda orchestrated the oversight, then start to get feedback. You can identify more risks and threats, and it's kind of a nice way to wade yourself in. Because in retail, everybody's been using AI for a long time. We've had recommendations engines. A lot of them weren't generative, but you have teams and people and processes that have been thinking about it. It is now just kind of an expansion of that capability, and so flexing a couple of new muscles.
We also see people have very different teams engaged in generative. So when you think about prompt engineering, we're seeing retailers, as an example, bring in their UX and UI team and just teams that think about the problem differently, who might not have thought about some of these different factors, and so kinda getting everybody up to speed on what to be thinking about from a data privacy and protection, and then a cybersecurity element. So it's, it's kind of new and old, but an expansion of skill set for everybody to think through. And, and it's important call-out because you don't wanna think, "Oh, this is just like what I was doing before," which was a lot of closed-loop AI in your digital experience. And, and now language models really exposing you to a much broader corpus of data and list of threats.
Well, Carrie, you bring up an interesting point about just kind of the intersection of skill sets needed, now. And so, Diane, I wanna turn that question back to you, just in the sense of organizational structure. You know, retail, I think, is unique because oftentimes you have loss prevention, who is also at, you know, at the intersection of cybersecurity professionals, who in many other industries would be siloed off, right, completely. So I'm curious, are you seeing now a need organizationally to combine also AI skill sets? Are there any kinda new skill sets maybe you're bringing onto the team that are critical to really effectively protecting your enterprise?
So Ulta has an advantage. We bought a company about 5 years ago called QM Scientific, and we've been using AI. If you ever go to our Ulta app, you can try on makeup, you can try out different hairstyles, and that's all AI driven, and that was, you know, from this company. So we've already been playing in that area. So from a AI perspective, we have, you know, not controls, 'cause it's really hard to put controls in place, but very, very sophisticated, mature program when it comes to that. The problem is when it comes to the Gen AI side of it, and we were talking about the governance piece of it, it's because I think the organizations are going slow to put in those guardrails for people, people don't wanna wait, as we know.
With the day and—w ith how technology is today, and, you know, everybody has a cell phone, everybody has a computer, people aren't waiting for that guidance. And that's the scary part, that we need to find the skills to find, you know, to learn how to investigate that. 'Cause one of the things, when AI, this whole Gen AI first came out, it was a few of our vendors reached out, and they're like, "Oh, we can protect you from Gen AI." I'm like, "Okay, show me how," you know? But they really can't. You know, they're just taking basically what they have and, you know, restructuring it just a little bit. So therefore, your skills, like you were talking about, now rely back on your, you know, your risk management teams and also our data governance team.
We are in lockstep with our data governance team and how to educate them, but. And that's where we hope, we rely on, at some point, we realize we need our partners. We need the Googles, the Microsofts, the Palo Alto people to help us. That's what we need because you've been playing, you've been doing this as part of your tooling for a long time, and that's where I think a lot of us are looking for that guidance is, to your point, is what skill do they need? I mean, I have very good threat hunters. I have great investigators. But is there a different skill they need to be able to identify that type of traffic across your network? Right.
Right. You're spot on, just in terms of kind of not only the ecosystem, right, that needs to exist and that you depend on, and any organization does, but really the fact that we like to say cybersecurity is a team sport, right? It relies on so many different skill sets to get the job done. So, Nicole, I'd love to hear what your perspective is at Kroger, just in the sense of, you know, how are you organizing your team? Are there new skill sets that you're needing to bring on? Are there new challenges that your team's facing?
Sure. So with my team particularly, we have such a diverse background, and I you know handpicked those people for their background, right? We have HR, we have law enforcement, we have dark web brand monitoring, marketing, and you know that all plays into how we protect the company. My team reaches out across multiple orgs within Kroger, one of which, as you mentioned earlier, was that physical security, organized retail crime perspective. And more and more, we're seeing a shift of you know cybersecurity also touches the physical security space. And so my team is regularly working with our asset protection folks, our organized retail crime folks, in making sure that we understand where each other play.
And so if they're seeing a threat in the store from a physical security perspective, maybe gift card fraud, for example, we can see that on the back end in the cyberspace. You think about, you know, an account takeover, you mentioned loyalty payments, you know, we see that come into, you know, the physical aspect because then it transfers to, you know, actual products in the store being, you know, stolen, obviously, and then, you know, resold online or used by the threat actor. We think about, you know, skimmers in the store as well. You know, there's a physical aspect to those, too, that we have to work hand in hand with those teams, and it's so important nowadays.
If your cybersecurity team is not working with asset protection and your organized retail crime and physical security, you really need to start that conversation. We're regularly, I would say probably weekly, you know, working with those teams on those threats. So it's great to have a diverse set of backgrounds on your team, but you also have to understand where you can reach out to within your org to get those skill sets if they're not on your team already.
Right. Oh, no doubt about that. So sticking with some of your latter comments about this organized crime, right, what are some of the trends that you're seeing today in stores? Is there anything new that, you know, has come up in the last, say, six months, that it has caught you by surprise?
I would say, you know, obviously, the theft in the stores is a big one.
Mm.
You know, more-
You mean physical-
and we're talking about it.
Right.
Physical theft, correct. We were talking about it earlier. You know, we're seeing just different pieces of, you know, store—f or Kroger, it's, you know, the diapers, the formula, the, laundry detergent, alcohol. And we're starting to have to, you know, put some of those behind the counter or, you know, transition to a, a lock-proof system. You know, Diane was, was sharing how, how they do that as well, and it's unfortunate, but it's the reality of, of where we live today. And so how do we, again, going back to the customer experience, make sure that we are protecting, you know, the bottom dollar with the company, but also, you know, not making it, you know, a, a bad experience in store for our customers. So, yeah.
I think this is one of those areas that, that NRF is also thinking about. How do you apply vision and data looking at these problems? Using vision to start understanding kind of common swipe motions, how they're going after these. In the past, a lot of times, most retailers have a policy not to intervene.
Yeah.
It's a safety issue for your associates. There's always somebody that wants to step in and be a hero, and then you hear on the news there's some, you know, tragic situation at retail. So part of the challenge is, a lot of times what they're stealing in an individual case is not going to be a felony. So how do we apply data and start using vision to look at how do we aggregate things that are happening so it becomes a felony faster? This is not to say we're at an end solution, but it's starting to use the technology capabilities to help retail combat some of these issues, because there's certainly no sign that this is going to abate and get easier.
So, you know, you're seeing kind of more crews and efforts and things that I think just in the last couple of years, that we weren't dealing with as much 10 years ago. So I'm excited to see how technology can start to chip away at that element and hopefully, you know, make it a little bit easier for retail to be operating. I think it's heartbreaking from an industry perspective as you hear about store closures and where retail just can't operate in certain environments. And so how do we point technology at those problems and get to a solution faster?
So I think this one was one way where AI has really is going to be able to help us a lot. So we actually have a bot management solution, and our bot management solution was able to detect that we had some bad actors out there scanning for a very expensive hairdryer. I won't call it out by name, but... And they were scanning our inventories, trying to find out where they were. And we were able to discern, with this company's help, that which stores they were going to go steal the products from, and that store was able to go pull those products off the shelf and prevent that loss. So here's another way that the intelligence that we get and the information that we receive in IT helps our loss prevention.
We're very lucky, we're lockstep with our fraud teams because, you know, usually there's, you know, commonalities between the bad actors. But I think that is what from a technology pers you know, from an IT security perspective, that's what we're looking for our vendors to help us with, is that's how you can use AI. Start taking. You have that data. You can see what people are doing. Take that data and and turn your mindset a little bit because you're about, you know, you're saying: "Okay, I'm just looking for bad actors doing X." Well, you actually have so much, to your point, the data out there, take that data and see what else you can do with it. 'Cause it was. For this company, it was actually an employee challenge.
They bring all their employees together once a year, and they gave them a challenge, and they said: "What else can we do with this data that we have?" And they're like—and so they sat in a room for, like, all day long, and these engineers came up with this idea: "Well, why don't we start looking for other trends? And, you know, not just think about threat, threat, threat, IOC, IOC, but look at all that data." And I think from a value perspective, I think that's where we really see a lot of, you know, help as an organization, is, you know, we can't do that ourselves. I mean, I can train somebody, but then I don't need your tools. It's like—s o but we, we—and we don't have staffs big enough for all that.
And that's where I think we become very dependent on making sure companies like Palo and Google, that you're out there always doing research. I love when people show us how much they spend on R&D, because that just means you're investing in it, and you're listening to us, and you're, you know, you're making changes in your products. 'Cause we need help. You know, if organized crime, you know, as, Nicole and I were talking about, we put in those cases for our—w e have fragrance, she has alcohol, we have fragrance. They'll break open the cases. I mean, they'll come in there with a hammer because they come in, you know, 8:45 P.M. at night when you close, and they'll break the cases open. And it's like, what else do you do?
I mean, at some point like you said, besides close your store. If you start closing your—y ou know, the state of California is not gonna have a single store left pretty soon, you know, because of, you know, they have such high theft rate out, and, you know, there's the organized crime in California is just amazing, so.
Right. Right. I
Well, Diane, I think you bring up such a great point and something that's so difficult for the cybersecurity industry in general, which is kind of quantifying the actual impact that we have as security professionals to the bottom line. And so I love the story that you highlighted of: Hey, our teams identified that this theft was potentially about to happen, and these stores were targeted and able to remove product, right, in order, in advance to prevent that. We have a few minutes left, and I'd love to open the floor to the audience, to ask a couple questions because we've got such a great panel of experience here. So, yes, sir, we do have mic runners, but, while we're waiting for them, maybe you can shout out your question, and I'll repeat it.
Yeah, that'd be great. My name is Tim Tang , with Hughes. There's a plethora of all these cyber technologies that are just kinda unique, particularly. My question is, how do you make sense of all framework, but what was it that you're using that kind of takes a while?
Yeah. So maybe, Carrie, I'll turn that to you first. So for anyone who didn't hear, the question was about, you know, just the ever-changing landscape in terms of new technologies, and is there a framework that maybe you're using in your organizations to help identify what's next, what you're taking into practice, and how you're dealing with that?
Yeah. I'd actually love to throw that to Nicole and Diane first, because I think as kind of buyers, your framework is most important, and then I'll just add some thoughts.
Yeah. So for me, particularly, if I'm looking at a new product and solution, it is: what is the value to me? So, there are a whole host of new solutions out there, but what is it doing differently than what I currently have in place? Because if I have to, excuse me, spend the time and the engineering, you know, personnel on the back end to implement that tool, you know, how do I do that and then also show value to that tool? And so for me, it has to have that plus add, that bonus on the back end. Once we implement it, how is it going to help solve something that we haven't seen before or a gap that we haven't previously identified?
Also, the other point to me on that one is we're looking for a multipurpose tool. That Swiss Army knife is always that one, but it's really hard when a vendor comes, and they sell you one tiny piece of it because, to me, it's like they're not looking at the big picture. 'Cause there's more to security than just that one small piece. There's more to anything in retail. And one of the things that we're always looking for, like I said, how they can bring that extra value to the organization, and that's why I love when, you know, with, you know, the Palos and the Googles, they're always looking at companies. They're always bringing in new companies that they can help us, help us support them.
For me, it's especially with remote workers, that is the toughest thing that we have right now is remote workers. During COVID, we actually switched. We put in an EDR product, and that EDR does so much for us. And I didn't realize going away from a simple, like, antivirus application that was all based on signatures, how going to a behavioral analysis tool could help us so much. It was just amazing.
And then they continue to add little pieces to their product that you don't even know until they're like: "Oh, by the way, you can do this now." And you're like: "Oh, my gosh!" They'll, like, if you're doing an investigation on somebody, it's like: "Oh, yeah, we can show you their whole internet history now." I'm like: "But you're an EDR tool." And they're like: "Yeah, but it can do it now," you know? And that's what we're constantly looking for. I always tell vendors, I'm like: "If you wanna sell something to me, the question you should be asking is, how do you make my life easier?" You know, like, like Nicole was saying, "If, if you're not gonna bring value and make my life easier, I'm not interested.
And if my team is gonna spend six months rolling out your product, I don't wanna do that. I don't have six months worth of time to do things. So that's kind of the approach that we take.
So then I would just add really quickly on that, in the context of generative, it matters how big the corpus of information is. And so we actually lecture all the time that a bigger model is not always better, depending on the topic, but when it comes to security, it is. So Chronicle is something we built as an example. It was built to protect Google, and so can handle anything at scale and looking across all these threats, so really understanding that. And then we haven't really touched on one of the dynamics in retail. A lot of folks are diversifying their businesses.
So a lot of you have kind of banking or credit cards involved, healthcare embedded into kind of your value proposition in grocery. And so you're only as secure as your least secure element. And so making sure when you're looking at any of these tools, it is the, you know, what have you done for me lately? Show me the money type of response, but also making sure that it can handle a very complex e-com stack, MarTech stack, and understand the different dynamics you may be introducing from the architecture of the stack itself. So really looking at, you know, point solutions often can be very high performance, and you can get really good measures, but are sometimes not always as good as looking across the whole ecosystem. So just kind of looking at the makeup of your organization and stack.
All right. Yes, one more question. Thank you.
Hi. Good morning. Hope King from Axios. Just awesome topic, and just awesome that you're all women. Just have to say that. Really cool. I wanted to be here to hear you guys. I'm sorry, I came in a little bit late, so would it be possible just to maybe go through some of the trends of where these cyberattacks are coming from, you know, maybe in the last couple of years? And then, specifically, I think you mentioned at Kroger that employees were sort of a problem when it comes to theft. Is that right? Did I hear that right, or— I'm hearing from others that maybe employees are part of the shrink issue. So those two questions. Thank you so much.
Right. Perhaps, Nicole, should we start with you?
Sure. So I'll tackle that first. No, I, I was not meaning to say that employees were part of the problem. I mean, it certainly is an, a possibility, right? So there's, there's always that. But no, that's, that's not the trend that we're seeing. You know, for your other question, we're really seeing it across the board. So, one of the things that we like to do is, is do that historical correlation and, you know, really understand, you know, where the, the attacks are coming from. And although I don't like to specifically say, it's probably a better, you know, topic for you, Wendi, and what you're seeing across, you know, all the landscapes. But we do see definitely targeted, you know, threats from, from specific countries, from specific threat actors. So yeah.
Yeah, I'm happy to take that one. So I think I would categorize it in three ways: speed, scale, and sophistication. So we're seeing increased speed in, particularly, widespread vulnerabilities being now the number one initial infection vector, which is very different than social engineering and spear phishing, which it's been for decades now, right? So, with that then comes increased speed to, like, detonation. So if we're talking about a ransomware attack, or we're talking about data exfiltration, it's oftentimes now within hours instead of days, or weeks, or months. In many of these cases, I think scale really speaks to the widespread use of vulnerabilities that we see leveraged, right?
So even, it's not just nation-state actors, it's often now cybercriminals who, you know, are widespread using, l ike, we look at MOVEit, 3CX, any of the major vulnerabilities that were exploited over the past year, and we're continuing to see that. And then on the sophistication side, it's not so much just the, the security teams, right? Now we're talking about help desks who need to be really well educated on how to effectively combat identity verification challenges.
We're seeing these attackers, specifically in the cybercriminal space, really have an understanding of business-to-business relationships. So how an Ulta or a Kroger or a Google may work with their vendors who have access to certain types of systems and credentials within their environment, how they onboard those organizations, how they off-board them, and specifically looking for vulnerable windows within those time frames, to be able to take advantage of those types of attacks.
Within the retail space, then I think you add on the complexity of the actual, you know, physical attacks to stores, the need for consumers to, you know, have access to their data and be able to conduct transactions seamlessly, whether it's on the online platforms or the, you know, physical space as well. So just a huge amount of added complexity, I think, within the retail landscape. Then you, you're all managing, you know, the challenges of what it's like to run an organization internally and make sure all your employees, you know, accessing corporate devices and in-store and other locations, right, are trying to keep all of those transactions secure at all times. So that said, we are at time. I wanna thank you to everyone who joined us today.
Certainly, thank you to our panelists who have provided such amazing insights into how your organizations are running and the retail landscape. So thank you, everyone.