LexisNexis Risk Solutions is one of the largest protectors of private and confidential data in the world. Do you see any changes in strategies with new and innovative technologies making seamlessly integrated platforms? Do you see an increase in risks?
Over the past several years, we have seen a significant paradigm shift in the cyber-threat landscape; attackers have grown more determined, resourceful, and sophisticated, which puts pressure on revamping the approach to protecting data. While the first generation of integrated big data platforms used to be almost exclusively focused on performance and capabilities, over time they started to put emphasis on data protection, implementing and enhancing capabilities around data encryption, identity and access management and activity logs, in addition to a posture where security is no longer an afterthought and rather built into the system from inception.
Additionally, concerns about privacy and regulations around the world require many of these platforms to build better capabilities to track data provenance, consumer consent, data reduction and, in some cases, implement privacy-preserving technologies such as k-anonymity and differential privacy, which is a change from what we saw a decade ago. On the functionality front, we are starting to see more platforms offering integrated machine learning and deep learning capabilities, more user-friendly interfaces, and easier deployment on public cloud environments, accelerating on a trend that we have seen for a number of years.
How do you keep up with innovative and dynamic enterprise transformations?
It is quite difficult to keep up with innovative and dynamic enterprise transformations unless you are the one anticipating and leading the change, the philosophy that we adopted in LexisNexis Risk Solutions since the very beginning.
A good example of disruptive change that we drove very early was the use of probabilistic linkage techniques in data management, back in the early 2000s because we saw the significant positive impact that this could have to the services that we provided to our customers and the value that this would realize for them, this being through fraud prevention, catching criminals or reducing the overall cost of car insurance for the majority of the population. On the opposite side of the spectrum, we held on moving our most critical workloads to public clouds for a relatively long time because we appreciated the additional risk that early public cloud adoption would introduce.
Clearly, financial data needs a very high level of risk protection. Which would be your focus of the next in line vertical where data is more valuable than anything else?
I would challenge anyone to name an industry that has not been positively disrupted by adopting big data and analytics in the past decade, and this trend is only beginning. Up until a couple of decades ago, many industries used to operate based on HIPPO’s (Highest Paid Persons Opinions), but this is no longer sustainable. This is true of even those industries that traditionally were not early technology adopters; data is being used to drive the day-to-day missions of farms, mining operations, healthcare, safety, and public services, etc. Moreover, a few years from now, there will be two types of companies: those that adopted big data and data analytics, and those that only appear in the history books.
Despite their best efforts, the global enterprise is not fully safe from risk. Your tools and prop technologies also cannot do a complete job. What would be your wish list for achieving an almost-there level of risk security?
Very rarely, can risk be completely eliminated. However, inherent risk can be mitigated through a combination of risk mitigation strategies, risk shifting, and at the end of the day, acceptance of the residual risk. When addressing big data risks, in particular, two types of risks must be discussed: the risk of data breaches and the risk of data misuse. The former is addressed through data security, while the latter is most commonly addressed through data privacy and regulation. When it comes to data security, one of the most significant sources of risk is the overreliance on fairly immutable data elements for identification such as, for example, social security number, names, addresses, dates of birth, credit card numbers, and the like. When any long-lived data element is exposed and misused, the damage is usually broad and long-lasting because changing those data elements is difficult and costly.
The mechanism that I’m referring to is known as public-key cryptography and digital signatures, which was invented in the ’80s. While this is widely spread as the method that web browsers use to identify websites (adding the “secure” or “SSL/TLS” labels to the URL bar), it has not had enough traction outside of that specific domain. Using public-key cryptography at the core of identity management would almost eliminate a very large portion of the risk of data leaks, but this is easier said than done. To my knowledge, the only country to date to implement this is Estonia, and it has taken them a combination of public policy, resources, and determination to get to this point.
What do you see as the focus of your data risk management solutions in two years from now? Where would you see bigger threats from?
We will continue to drive value for our customers, offering more sophisticated but, at the same time, user-friendly analytics, more comprehensive coverage to help them prevent fraud both online and offline and drive a number of new solutions across all of our market verticals. Our biggest threat will be, as always, ourselves; as long as we continue to combat complacency, challenge the status quo, and lead innovation, no obstacle will be insurmountable.
“When addressing big data risks, in particular, there are two types of risks that must be discussed: the risk of data breaches and the risk of data misuse. The former is addressed through data security, while the latter is most commonly addressed through data privacy and regulation.”
Flavio Villanustre, VP, Technology and CISO, LexisNexis Risk Solutions