With Infosecurity North America heading to New York in just seven weeks time, keynote speaker Matt McKeever, VP – CISO, LexisNexis offers his insight into what the future holds for the industry.
- What is the biggest information security threat to your industry?
I think the largest risks are related to the various IT transformations that are occurring. Particularly the migrations to cloud computing and agile development methodologies. Fundamentally they don’t introduce new threats, but the speed and ways security integrate with the new methodologies changes.
- What can delegates expect to learn and hear about during your session on the Keynote Stage?
Security of cloud environments is different. Each cloud offering, and environment are unique and the solutions to secure them also vary in maturity. Teams and individuals need to learn different approaches, extensively collaborate and borrow common/best practices from others as they start a new journey. You need to take advantage of many of the native utilities the different cloud environments. This can be augmented with internal scripts/code to collectively maintain and/or increase your security posture.
- What advice do you have for practitioners building a strategy to defend against the threats of today and tomorrow?
Attract, retain and/or retrain your staff to think analytically and outside the norm. Continue to learn and pay attention to current threats as they will be expanded upon in the future. Ensure you have the ability to analyze data to detect the advanced threats that will be stealthy.
- In your opinion what are the hot trends/topics right now? And what will be the biggest trends in 2019?
Cloud migrations and/or “digital transformation” are currently hot topics. As more and more credentials are stolen, I would not be surprised if “authentication” based attacks becomes a big trend in 2019. We are starting to see some types of attacks with the Sextortion phishing campaigns. Streamlined multi-factor authentication of users and/or devices could be of greater focus in 2019.
- What are your thoughts on whether the USA should implement a general data protection regulation at a federal level (similar to the EU GDPR)?
I don’t think we will see any legislation at the federal level. We are starting to see the several states implement regulations. Currently most of the associated laws and enforcement are still at the state/local level. As each state starts to implement their own rules, they will hopefully start to become very similar. Ideally, they should all share/learn from each other.
Infosecurity North America will take place on 14 – 15 November at Javits Convention Center, New York. Register today!
- Do you feel that by being compliant your company is therefore secure? Does compliance equal security?
Compliance is a measurement of certain identified controls to be compliant certain regulations. Meeting the various related regulatory standards may help you become secure, or provide a sense of security, for an identified area. There are not a set of regulations, that if you comply with them will ensure you are secure. A best being compliant can serve as a set of guiding principles. They do protect the business from regulatory impacts and potentially unwarranted scrunty.
- What regulations effect you the most?
My area of the company is not highly regulated. We do need to comply with SOX, GDPR, and PCI.
- What are we, as an industry, doing right?
I think we are starting to share and collaborate more. Events like this pulls people from different and/or the same industries together to enable conversations and building of relationships.
- What one piece of advice would you give to someone who is entering the information security profession?
I often tell new individuals entering the profession to learn python or scripting language and be ready to analyze lots of data. Systems continue to generate reams of more data and information that need to be analyzed. The ability to quickly process this information while be a key to finding and defending our systems.
- Final word…
The more things change, the more they stay the same. The implementation of basic security controls will still prevent a majority of security incidents. These include:
- Patching: At all levels, not just the Operating system
- Privilege Access Management: Restrictions on administrative and/or elevated rights.
- ID Management: Removal of ID’s when people leave; rotate or extremely strong passwords
- Restricted Access: Tight firewall rules; limited access to and within systems for all users
- Keep logs: They will come in handy when/if things go wrong.
Do you want to hear more from Matt? He will be speaking on the panel Security in the Cloud: Developing an Effective Governance Strategy for the Evolving Cloud Environment at Infosecurity North America. Register today!