With data and AI becoming the new currency, cybercrime is posing an increasingly high risk and corresponding opportunity. From helping secure financial, health, and consumer data to creating safeguards for end users and their personal devices, the security sector carries an enormous responsibility to deliver effective solutions.
We spoke with Ken Pickering, Director of Engineering at ecommerce company, Rue La La, to get his insights on the importance of security in an increasingly data- and AI-driven world.
What do you think will be the biggest innovations in the security sector in the next 10 years? I think the future of the industry is going to push toward making security more present and seamless in our everyday lives, like the mag stripe to chip-and-pin in credit cards transition we’re going through. I could see multi factor security mechanisms becoming more mainstream to reduce fraud. I also think machine learning and data mining will lead to be able to being able to catch attacks as they mutate/evolve, potentially getting away from derived pattern analysis to a more algorithmic approach without as many false positives/negatives as solutions today. Lastly, I think companies are always looking for a way to make security less of an arcane concept and more of a process of doing business everyday.. So accessibility of that information with the potential business risks is poses will help shape the industry.
Where do you think there are areas of opportunity for Massachusetts security tech companies to lead? All of it. We’ve got a lot of great enterprise programmers in Boston, hungry for working on cutting edge technology. Security is a massive industry and it’s growing every year. Massachusetts needs to grow with it, so we can keep our private and public sector organizations secure.
What is data’s role in the security sector and how do you see it influencing future innovations or sector growth? Data is useful in security for really two major reasons. 1) using large amounts of data to train machine learning approaches to security. 2) Collecting all of a companies inbound/outbound traffic at multiple layers for analysis to identify aberrations. The most terrifying attacks are the long duration “advanced persistent threats” where attackers are slowly exfiltrating data from a network over a long period of time. Being able to define the patterns for these very hard to detect attacks, in addition to actually detecting them before a large breach will be essential to the industry, especially against state-sponsored infiltrations. There’s nothing more shocking and disruptive to a security team to learning you’ve been leaking user information and other critical documents over a long period of time and just missed noticing it.
What are you most excited about that you’re working on now? I work for a consumer facing company, so security is important to us because we’re protecting the data of millions of real customers… My family shops at Rue, as do I. I mean, I keep my personal information in our systems so I have a vested interest in making sure I’m doing my job. But, really, security at Rue Lala is really important to keeping our customers satisfied and our business healthy… One of our company mottos is ‘Inspiring Confidence’ and one major way we do that is properly securing our users’ information, and having them trust doing business with Rue is secure.
It’s exciting because there’s a definite reward to doing it. You know your millions of shoppers have confidence in using your service, without fear of getting their identity lost.
What challenges do you face in keeping your consumer’s data secure? We’re a “full stack” commerce shop, so we need to secure everything from our payment processing and user records, our collected data, and other intellectual property we’ve developed, to making sure our business operations run well across multiple sites. We deal with attacks daily, and constantly battle against people who attempt to make fraudulent transactions.
PCI is obviously the big one for us (as a retail company), but there are some things that fall outside of PCI that companies should still look into. Really, flipping from the security industry to a consumer company, I truthfully dislike dealing with ‘compliance only’ security policies… where corporations do the bare minimum to protect their users, because they’re only tracking to a specific compliance framework. Sadly, a lot of companies I saw while working as a security provider followed that path. It comes down to the philosophy of why you have security policies in the first place: to check boxes or protect your users.
So, the challenge for us is really dealing with live attacks all the time consistently testing our infrastructure. We’re big enough to be a target, which definitely forces you to keep up. We also seek to reduce our attack surface to as small an area as possible, so it’s easier to control, monitor and maintain. We face very real challenges here, though, so security is not a one and done thing… It’s part of our ecosystem and our technology process.