Presentation: Data Security Dreams and Nightmares

We have done a lot of research over the years looking at information security, specifically around breaches. Whether it’s an honest mistake, a not so honest mistake, or pure negligence, breaches cause huge issues to a company and its victims. There’s a resulting correlation between good security and rewards.

Study and learn from the companies who have had breaches. How were the data security practices, and what caused the resulting breach? Was the breach resolved correctly, or were there problems with the solution? What damage did that cause the company? There’s a correlation between good security and rewards and understanding this can help you make the right decisions

One example is the Yahoo breach that occurred in the midst of a corporate crisis. The hackers had a very small sample that looked like Yahoo data but they didn’t actually have any data in their possession that belonged to Yahoo. Unfortunately, that affected the company’s perception and subsequent sale to Verizon.

Another example would be the Equifax breach. Their outgoing CEO blamed a single person for the breach, a single point of failure which was completely not true. It was the entire company’s environment and security practices that led to the downfall.

A positive incident response would be the 2014 breach of JPMorgan Chase. They disclosed quite a bit of detail about the breach and invested over $250 million in information security practice to make themselves more secure. They not only gave investors and clients peace of mind, but they’ve stayed mostly breach-free for the past 4 years. That is a huge undertaking in today’s society.

Any person who has a stake in the information security process. Security is not a single person’s responsibility but is a multi-person effort. Everyone can learn from other companies’ mistakes that led to breaches and downfalls. Developing secure software is good in theory but it’s having a security mindset that is important.

Complacency. Thinking because you’ve already bought into security that you’re secure. You're not secure. You’re taking someone’s word that you’re secure. We are always coming up with new patches. You have to constantly think about improving security. Some companies are developing incentives for their developers to find security bugs. Instead of pointing fingers, they are rewarding developers for identifying honest security mistakes.

The speed of security development and the rapid deployment of solutions is changing the game. We are tired of the development of security features that takes months, leaving companies exposed for a significant amount of time.