Webinar recap: Inside Ulta Beauty's SOC — lessons from retail security

Key takeaways

This webinar highlighted several critical insights about building a security operations center in retail:

1. Build the business case with measurable ROI: The most successful SOCs demonstrate value by showing how well they support store teams during their most challenging moments, not by the volume of alerts generated. Focus on both hard savings and the qualitative impact on associate safety to secure executive buy-in.
2. Soft skills matter as much as technology in retail security: Building an effective SOC requires strong people leadership, positive team culture, and workflows centered on the associate experience. Technical expertise can be learned, but the ability to support people through crisis situations makes the difference.
3. Intelligence is your foundation: Accuracy and speed are the two forms of currency that build trust in SOC operations. Quality intelligence allows teams to make faster, smarter decisions about real threats without overwhelming stores with noise.

Retail crime has fundamentally changed since the pandemic, with violence and organized theft becoming more prevalent across stores. Many retailers have responded by building security operations centers to provide real-time support and intelligence to their store teams. But what does it actually take to stand up a SOC that delivers measurable value?

Mike Korso, Director of Loss Prevention Intelligence at Ulta Beauty, shared how his team built the "Epicenter," a 24/7 SOC that has been operational for four years. Speaking with Bobby Haskins, Director Cybersecurity Defense - Product & Strategy at Target, Mike provided practical insights into everything from securing executive buy-in to choosing the right technology capabilities.

Building the business case for a retail SOC

Post-COVID retail crime patterns provided the catalyst for Ulta Beauty's SOC initiative. Store associates faced increasingly dangerous situations, and the existing reactive approach wasn't keeping pace with the threats. Mike and his team recognized that a centralized operation could provide the real-time support their 1,500+ stores desperately needed.

Securing leadership buy-in required extensive research and process mapping. Mike explained their approach: "There was a lot of researching, benchmarking, and process mapping. Whiteboarding, figuring out how could a centralized security operation center provide value for current state processes, and then what are other organizations and businesses doing?" They looked beyond retail to hospitality and restaurants, extracting principles that could apply to their unique environment.

The team branded their SOC as the "Epicenter" (Enterprise Protection and Intelligence Center), deliberately positioning it as an "associate service center" rather than a traditional security operations center. This framing proved critical in gaining internal support across the organization.

"We put the associate or the ‘customer’, if you want to call it that, at the center of everything we do… My answer is always start with the customer, meaning the associate, the business partner, the enterprise leader. Determine what their needs are and then work backwards."

Structuring SOC roles, workflows, and technology

Building the right team proved essential to the Epicenter's success. Mike emphasized that culture and talent matter more than having the perfect technology stack: "Having the right mix of talent, culture, and workflows, that's a winning recipe." The team includes analysts, operations managers, and a quality and content analyst who ensures processes remain unified and training stays current.

Technology selection followed the mission, not the other way around. Because Ulta's primary focus centered on life safety and associate support, mass notification and situational intelligence capabilities became priorities. Mike cautioned against the Hollywood vision of walls covered with dozens of monitors: 

"I don't think there's any universal tech stack or any precise software and modules that any one security operations center needs to have… Starting at your core of your mission, figure out how the technology that's available out there can support and drive results in those areas."

Managing alert fatigue requires discipline and clear boundaries. Mike introduced the concept of "intelligence currency" to help guide decisions:

"There's two forms of currency that drive the most value. It's information, accuracy, and speed. Those two things combined, that's the currency that helps build trust. Do you necessarily have to communicate and send that out as a mass notification? That's where I think knowing your business and knowing your stakeholder and their expectations are really important."

Intelligence as the foundation of effective SOC operations

Auror's Retail Crime Intelligence platform forms the foundation of the Epicenter's operations, supporting approximately 75% of their work. The integration allows Mike's team to process cases in roughly 15 minutes, a massive reduction compared to other solutions he considered.

Mike described the impact using a space exploration metaphor:

"Auror is a force multiplier. Auror multiplies the intelligence by volume and quality because of the way in which we centralize the event intake and leverage the tools. It's really like the James Webb telescope in the sky… That allows people to see deeper pictures in interstellar space and different galaxies and planets. Auror has essentially helped us unlock different viewpoints and pictures that we would never have seen without it."

Connect the Dots, Auror's AI-powered linking capability, emerged as what Mike called "a collaborative game changer." By connecting offenders through spatial analytics, the team gains visibility into patterns and networks they would have missed otherwise. This intelligence enables faster case building with law enforcement partners and more strategic resource deployment.

Measuring ROI extends beyond hard dollar savings. Labor efficiency improvements, faster intelligence gathering, and stronger external cases all contribute tangible business value. However, Mike emphasized a different metric matters most:

"The most invaluable ROI of all, in my opinion, is helping an associate navigate through a very challenging situation. It could be ORC with violence, assault and battery… Having a person that specializes in that, in the security operations center at the epicenter to be able to say, hey, how can I help?"

Key lessons for retailers considering a SOC

Mike's four-year journey building the Epicenter revealed three critical lessons:

Stay nimble and adapt quickly. Workflows won't always perform as designed. The ability to pivot based on feedback from associates and business partners separates effective SOCs from those that struggle to gain traction.

Protect your team's capacity. Labor represents a finite resource inside any SOC. Before accepting new responsibilities, understand the impact on team bandwidth and ask clarifying questions rather than defaulting to "no."

Align early and often. Continuous communication with business partners prevents misalignment and ensures the SOC meets actual needs rather than assumed ones. Regular check-ins about alerting preferences, notification timing, and risk assessments keep everyone synchronized.

Mike also addressed imposter syndrome for those considering SOC leadership. Most leaders in these roles, including himself, didn't have prior SOC experience before taking on the responsibility. Success comes from being a strong people leader, understanding talent needs, and building positive team culture. The technical aspects can be learned, and the LP community offers abundant support for those willing to reach out.

Auror's mission is to reduce violent retail crime by 50% in the next five years. Security operations centers like Ulta's Epicenter, powered by Retail Crime Intelligence, represent a critical tool in achieving that goal. By giving retailers the capability to proactively protect their teams from known high-risk individuals while maintaining operational efficiency, an intelligence-led security operations center can transform how retailers address the escalating safety crisis.

‍

Request a demo to see how Auror’s Retail Crime Intelligence can help protect your stores from violent repeat offenders while empowering your security operations.