Security and Risk thought leader Les Correia wears many hats with one mission: Protecting Estee Lauder’s critical assets from the risk of a security breach. He is part of a team that guides many security initiatives at Estee Lauder including advisory services, architecture, engineering, operations, audit, governance and much more — offering global reach. In this interview at the NY Information Security Meetup (NYIS) in Manhattan, Les shares some lessons learned mitigating the risk of security breaches both cloud and/or on-premises.
What are the key security trends for 2019?
- Tighter controls with regards to privacy regulations as we move into enforcement
- Continued cloud push
- Greater use of artificial intelligence, data sciences, threat intelligence, and analytics to analyze large data collections
- The increasing use of mobile, social media, cloud, BYOD in our workspace requiring better-integrated solutions and intelligence sharing
Are data identity and privacy big focus areas for security over the next few years?
Data security and privacy is always a focus. Even though regulations continue to evolve, the general principles have remained the same. PII has expanded to include sexual preference, medical prescriptions, eye color, etc. It’s clear that the first offenders probably garner the most news. I see better solutions in this area.
Do you see insider threat growing as a problem or just an overhyped media-related issue?
Insider threats can be broadly categorized as accidental, negligent, or malicious. Policies, controls, and training can handle accidental and negligent threats. It is the malicious insider threats that are of concern. Traditional technologies tend to be reactive or too intrusive bordering on privacy concerns. There is a trend towards building better controls by micro-segmentation of critical information to limit the damage. There are predictive studies that can be indicators of malicious insiders.
Do you believe organizations can achieve true continuous compliance?
Compliance in the real sense implies a maturity in processes, people and technology to ensure that everything is up to date to regulations and standards. I would say that one can strive towards that goal. Some often assume an entity being compliant if an auditor checked a box.
How do you and your team handle a continuous onslaught of alerts and policy management across dozens of security technologies?
We use several next-generation toolsets on-premises and in the cloud to address threats. As expected, a critical aspect is the integration of these toolsets and intelligence sharing in context is essential. Our team continues to strive to keep abreast with the latest tools, techniques, and procedures to raise awareness and keep out the bad guys.
How would you summarize addressing risk and security concerns?
Over time, technology has increasingly become innovative and sophisticated with expanding connectivity and sharing over various mediums. Mobile, social media, cloud, BYOD and IoT have expanded the cyber threat landscape. Additionally, various privacy regulations add to the complexities. It is imperative that we shift our cybersecurity strategy from outright prevention to implementing techniques to quickly detect breaches and limit the damage once a violation is confirmed. This along with better integration with various toolsets and shared intelligence is a necessity. This does not preclude improving processes.
What are some ways an organization can mitigate risk?
- Cyber risk assessment, data classification, and mapping
- Security control implementation using integrated third-party solutions like CASB, container security, endpoint technologies, SOAR, SIEM, and DevSecOps
- Regular verification of security control performance
- Breach preparedness planning and testing
- Risk acceptance and risk transfer (i.e., cyber insurance)
Listen to what Les recommends by watching the video below.