7 Pizzas per second: The key challenges for one CISO

With three decades of experience in the IT industry, Stephen Bennett (Global CISO at Domino’s) now heads up security for one of the most fast-paced B2C brands in the world. 

Selling seven pizzas per second, Domino’s handles a huge number of payments and data transactions every day. 

But Bennett didn’t always know he wanted to work in security: from artistic beginnings to data entry, he told us how he got to where he is today – and shared the key challenges he faces as CISO for a major brand. 

Meet us back here next week for part two of this interview, and find out what keeps Bennett up at night. 

Could you share your career journey so far?

“Starting off, becoming a cybersecurity professional was nowhere on my radar. I was all set to dive into the art world, but turns out, my calling had more to do with tech than paintbrushes and pencils. 

“After dabbling in a few tech courses, which honestly didn't really blow my mind by themselves, it was my very own geeky side projects that spun out from these that really got me hooked. I loved poking around under the hood of technology, seeing what makes it tick, and figuring out ways to make things work better or just for my own entertainment.

“My first role might get a few laughs today—it involved a lot of data entry and managing print jobs (a nice way of saying I sent things to a giant printer, split them up and then dropped them on peoples desks). 

“Sounds thrilling, right? But here's where it gets interesting. I stumbled upon some ancient and very dusty DEC VAX manuals and decided to give them a read. Before I knew it, I was automating half of my tasks, giving me free time to explore the desktop computers that had just been purchased that no one knew what to do with. I knocked together some spreadsheets and databases and regularly demonstrated to everyone how cool and powerful these "new" gadgets could be, paving the way for a transition away from the traditional mainframe and ‘dumb’ terminals.

“Fast forward a few years, and I'm deep into setting up server infrastructures and networking, still not even considering cybersecurity as a career. Back then, my idea of cybersecurity was shaped by movies like War Games and Hackers — all fun and games but not something you'd make a career out of, right? 

“That changed when I was working on deploying routers and found a vulnerability that let anyone take control of the device remotely. Nothing magical, just a major configuration error – but I flagged it to the ISP, and they patched it up. That moment was a game-changer for me. It was like, ‘Hey, this stuff is real and pretty cool! I want to do more of that.’ 

“Then, working for a healthcare provider in the UK, I got a real taste of cybersecurity. We had to make sure our IT systems were up to scratch with very strict health security standards, and I loved every bit of that challenge. It got me thinking, ‘Maybe I can do this cybersecurity thing full-time?’

“Moving to Australia 18 years ago, I took the plunge into dedicated cyber roles and haven't looked back. 

“The big leap to becoming a CISO happened at Domino’s. That's where I had to shift gears from being into the nuts and bolts of the technology to someone who also gets the business side of things. It was about building relationships, aligning cybersecurity with business goals, and getting good at telling people about risks without putting them to sleep or watching as the fog of confusion descended upon them. I had a lot of help along the way — a very understanding boss who regularly challenged me and coached me, a board member who taught me to speak 'business' at a board level, and a team that wasn't shy about telling me what they needed from me.”

What are the key challenges of being CISO for a major B2C brand in 2024? 

“In our business, ‘handling the rush’ is more than just a motto — it's a way of life. This concept is crystal clear from day one, as everyone, regardless of their role, starts by experiencing the frontline hustle in our stores. It’s about delivering quality under pressure, a thrill that translates into every facet of our operations, including cybersecurity.

“Operating on thin margins and relying on the sheer volume of transactions — imagine seven pizzas flying out every second — we're constantly balancing rapid growth and adaptation with the need to safeguard the business. This balancing act extends to our network of thousands of franchisees who depend on us. Their livelihoods, and those of their teams and families, hinge on our ability to strike the right balance between security and operational efficiency, risk and cost.

“Seeing our product enjoyed in the wild brings an immense sense of pride, a testament to our brand's reach and recognition. However, this visibility also paints a target on our back, making cybersecurity a paramount concern not just for protecting data, but for preserving the trust and love our customers have for us.

“Our challenges as well don't stop at the borders of the regions that we operate in. Being part of Domino’s Pizza Enterprises Ltd, which operates in 12 regions, we face the ripple effects of incidents in markets we don’t directly oversee. This global footprint requires nurturing relationships across all these markets, as a reputation hit in one area can have worldwide repercussions.

“The complexity of compliance is another unexpected hurdle for us. While we're not subject to the intense scrutiny of sectors like finance or healthcare, navigating multiple privacy laws (seven at last count), EU NIS2 requirements, PCI-DSS, and keeping an eye on the evolving EU AI Legislation, presents its own set of challenges.

“In a large, geographically dispersed organisation that also spans large cultural differences, influencing cybersecurity practices across different business units with their unique challenges is no small feat. Despite these obstacles, our collective goal remains clear: to support our business and franchise partners while championing cybersecurity.”

Thanks to Stephen Bennett at Domino’s. Learn more from Stephen at Black Hat MEA 2024.