At the many events Information Security Media Group hosted in the past year, I had the opportunity to conduct video interviews with a long list of leaders in the financial sector.
In addition to interviews at our fraud and data breach summits, I also conducted sessions at the RSA Conference 2015. As the year draws to a close, here's my review of three of the best of those interviews that I encourage you to view.
As you'll recall, Heartland, which earlier this month was acquired by Global Payment Systems, suffered a massive data breach in 2008 that exposed some 130 million credit and debit cards. The incident cost issuing banks and credit unions about $500 million, and Heartland spent $150 million on remediation.
Carr took ownership of Heartland's breach and spoke about it in great detail in the following weeks and months. And his transparency earned him a lot of credibility.
"We knew when the breach happened ... and within hours we thought we had remediated it," Carr told me during our interview. "That was our mistake. ... The bad guys were in our system for six months before they figured out how to cross over into our payments network, which is when the disaster really occurred."
Watch the video with Carr, and you'll hear his explanation of how Heartland used its breach to make some significant changes. He also calls for improved breach detection and much wider use of encryption.
I also had the opportunity in October to interview Eduardo Perez, senior vice president of payments risk at Visa.
The U.S. migration from magnetic stripe card technology to the EMV chip was front and center this year, and Visa was not always the most popular name among merchants and issuers.
Perez never dodges the hard questions, and he always speaks candidly to me. When testifying before Congress about data security concerns in the wake of the Target and Neiman Marcus breaches, he used the same straightforward approach.
"Retailers need to remain vigilant in practicing good security hygiene and complying with PCI-DSS at a minimum," Perez says during his video interview with me. "We continue to require entities to comply with PCI-DSS; that's another way that we are ensuring that large merchants, in particular, remain focused on protecting sensitive, residual data that may flow through their systems. And then what we also have promoted is merchants adopting other technologies, like encryption and tokenization, to protect residual data. Those technologies, in combination or in and of themselves, help to devalue data, which makes the likelihood of a breach less and the cost of a breach much lower for the affected institutions."
View the interview with Perez, and you'll hear him explain why PCI compliance is the best way to ensure payments networks aren't breached, while EMV makes breaching card data much less appealing.
I'll wrap up my review of the top interviews of 2015 with a look back at the RSA Conference, when I interviewed cybersecurity attorney Joseph Burton, a partner at San Francisco law firm Duane Morris.
Burton's credentials are impressive. He's a former assistant U.S. attorney for the Northern District of California, where he handled the first prosecution in the U.S. for criminal copyright infringement of computer code. Today, he's a nationally recognized expert in information security law, with an emphasis on cybercrime and cybersecurity.
In our video interview, Burton talks about the legal ramifications of information sharing. "One of the issues that clients have with information sharing is whether or not there may be some liability that flows from sharing the information and/or exposing what they are doing, or in some instances, not doing," Burton says. "So some sort of immunity or exemption for sharing is what most clients are worried about. The other issue is not so much liability for sharing, but clients worry about the confidentiality of information they have. There also are clients that have information that is regulated. They have a specific requirement to maintain the confidentiality of that information."
But Burton says some of the concerns about information sharing are overblown. And the recently enacted cybersecurity legislation, with its new liability protections, also could help ease those concerns (see: Obama Signs Cyberthreat Information Sharing Bill).
I hope you enjoy these video clips. I'm looking forward to bringing you many more interviews with industry leaders in the year to come.