For large enterprises operating across hundreds of locations, enterprise cybersecurity is as much about ensuring business continuity as it is about protecting IT systems. One compromised warehouse or regional office, for example, can create a cascading failure that disrupts operations across an entire organization. The business question is not simply whether the enterprise can prevent a breach. It is whether the enterprise can keep serving customers, generating revenue, and operating safely when one location, system, or vendor connection is compromised.
Harrison Allen Lewis, Founding Partner at Jacob Meadow Associates and a three-time chief information officer (CIO), has spent decades leading IT transformation initiatives for major retailers and enterprise organizations. His approach to multi-location security focuses on strong architecture and standardization, more so than reactive controls. “Leaders must define the future state architecture and environment for each location, then consistently apply it,” Lewis says. “You don’t want any one particular location that becomes compromised and then affects all of your locations.” It is a principle Jacob Meadow Associates applies across its enterprise engagements: define the future-state architecture once, govern it consistently, and measure it against business continuity rather than a checklist of controls. As organizations accelerate AI adoption and edge computing, he shares more on his framework for securing IT across hundreds of locations below.
Security Starts With Architecture, Not Awareness Campaigns
Many organizations misunderstand how to secure multi-location IT environments because they overemphasize awareness training, while underinvesting in standardization. Retail and distributed enterprises operate under difficult conditions. High employee turnover, shared systems, operational pressures, and decentralized environments create significant security governance challenges as employees are focused on serving customers and maintaining operations, not navigating complex security protocols. “The survivability of individual locations is critical,” Lewis says. “Locations must be able to continue generating revenue even when certain services are unavailable.” In a distributed enterprise, zero trust must translate into practical operating controls: verified identity, least-privilege access, segmented networks, managed devices, role-based permissions, and clear service dependencies for each location.
A store should never become a gateway into the broader enterprise, and Lewis points to common failures inside distributed retail networks, where servers and edge devices are left in unsecured offices or storage rooms accessible to large numbers of employees. At the same time, Lewis warns against creating overly burdensome authentication experiences. “Too many hurdles lead to non-adoption,” he says. Authentication should align with the risk level of each application. Point-of-sale systems may require stronger identity verification tied directly to payroll systems and role-based access controls, while lower-risk ordering applications may require lighter controls.
Data Becomes a Liability When Companies Keep Too Much of It
As organizations race to build AI capabilities, Lewis sees another major issue emerging: companies storing sensitive data they no longer need. “Data is either an asset or a liability,” he says, stressing that organizations should aggressively reduce unnecessary data retention, particularly around cardholder data and personally identifiable information (PII). “With tokenization and modern payment gateways, there’s no reason to store cardholder data,” Lewis says. “If you never make the decision to keep that data, then you don’t need to protect it.” Rather than building larger repositories of customer and employee data, organizations are increasingly focusing on minimizing exposure altogether.
Lewis advocates for tightly constrained download permissions, organization-controlled collaboration environments like SharePoint and OneDrive, and role-based data access policies that limit unnecessary visibility. “Targeted security-awareness training is essential,” Lewis says. “You let people know specifically what types of fraud and impersonation can and will happen.”
Embedding Security Into Operational Culture
Security culture cannot exist separately from operational culture. “If security is taught by the same person delivering job-function training, it carries the same weight and legitimacy,” he says. Instead of one-off security seminars, Lewis embeds security directly into onboarding, operational procedures, and role-based training. For example, cashiers learn payment terminal security while learning checkout operations, and managers learn fraud protocols while learning financial controls.
The approach mirrors the lessons that Lewis learned earlier in his career, while managing unionized retail environments. Rather than separating operational onboarding from union onboarding, he integrated them to create clarity and alignment for employees from day one. The same principle now applies to enterprise cybersecurity. Security works best when employees view it as part of their role, not as an external obligation imposed by IT.
Standardization Determines Enterprise Resilience
In complex retail and distributed-enterprise environments, Lewis has seen how inconsistent architecture, inherited legacy systems, and loosely governed regional operations can magnify the impact of a localized security event. In one case, a disruption that began in a single regional environment spread into broader enterprise systems, affecting warehouse operations, employee scheduling, and ordering workflows. Teams reverted to paper-based processes while warehouses fulfilled requests manually, without automation. “It becomes impossible to crawl out of,” Lewis says.
The lesson reinforces what Lewis views as the CIO playbook for enterprise security: standardized architecture, constrained access, operational resilience, and disciplined modernization. Organizations pursuing IT transformation cannot afford fragmented environments created through shortcuts, inconsistent integrations, or inherited legacy systems. From legacy systems to secure cloud infrastructure, every modernization decision affects long-term resilience. “The problem cannot be thought of purely from a retail location perspective,” he says. “You have to think about it from an enterprise perspective, and think about the services necessary for organizations to realize revenue and serve customers.” The goal is not to leave a client with a one-time recommendation, but with repeatable governance, standards, and decision processes they keep using long after the engagement ends.
Follow Harrison Lewis on LinkedIn or visit his website for more insights into enterprise cybersecurity strategy, operational resilience, and secure IT modernization.
