Last year I was fortunate to attend several all-day Chief Security Officer (CISO) roundtables on data protection with some of the top CISOs from Fortune 500 and beyond. Imagine being the CISO of a huge company like Honeywell with over 100,000 employees made up of hundreds of loosely coupled acquisitions worldwide, or Thales, a $17B organization and itself an industry leader in security. Imagine being the CISO of one of the major international banks like JP Morgan. As the CISO, what would be most on your mind? What would be keeping you up at night? Here are the 5 recurring themes I heard.
There’s a lot of excitement in the security world today around artificial intelligence (AI) and, more specifically, machine learning (ML). CSO Online lists their top 5 use cases for machine learning in security which include detecting malicious activity in the network, automating repetitive tasks, and analyzing large volumes of data for threat intelligence. But another immediate application of machine learning will be in data protection and the prevention of data leaks.
The General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) introduced a higher bar than ever before for data protection, in all industries. It applies to any company that comes in contact with any form of European personal data. Article 32 of the GDPR, covering the security of processing recommends the use of encryption for personal data. In fact, encryption is increasingly recognized as the “get out of jail free card”, because GDPR does not require you to report a data breach if it involves data that was encrypted, giving companies a powerful incentive to re-think their company-wide encryption strategy.
Here in Canada we had a small online payment processor, Koho Financial, get breached. They are a startup, only 107 employees, but process billions of dollars of payments a year. The breach cost them millions. FinTech has not had a lot of major public data breaches in recent years compared to most other industries. Perhaps they are more diligent in their security practices, or maybe they're just better at keeping it under wraps?
When an incident does occur though, even to small companies, so much money flows through them that the impact can be spectacular.