Security Best Practices from Lucidworks InfoSec Specialist
Whether you’re part of a security team for a specific part of your company’s infrastructure or you’re involved in the org-wide effort to keep your data and employees safe, information security is a crucial part of every company’s day-to-day functioning.
We did a brief Q&A with our own Shaya Stark, Information Security Specialist, to better understand some of the challenges and misconceptions about security that could be (at best) slowing down your workflow or (at worst) setting you up for breach or attack.
Hi Shaya. What are you working on right now at Lucidworks?
Right now, I’m focused on internal product testing, everything that goes into achieving international compliance standards. I’ve been with the team for about a year and am really enjoying the work.
What are some of the common misconceptions people have about building a secure business?
I would say there’s a few different things. One of them is that, unfortunately, it’s not possible to prevent ALL security incidents from happening to your company. But by adopting industry best practices, we are striving to be as prepared as possible and are regularly testing our many environments. The best way to handle incidents as they happen, is being aware of how a vulnerability can be exploited and how severe it could be. Some vulnerabilities aren’t worth spending time and energy on because the cost to prevent is beyond the potential damage it could cause, if successfully exploited. The opposite is also true, that there will be vulnerabilities worth the investment in time and resources to mitigate and fortify against because the possible cost of damage is too severe.
How do you recommend communicating that to your team – the potential impact security gaps could have?
It can be tricky conveying the same sense of urgency to both technical and non-technical teams to gain universal action, but it’s incredibly important. Focusing more on the financial risks to the business and less about the technical functionalities, makes the conversation more accessible for the larger team. Plus, when you put cost numbers in front of executives, it’s a much easier way to show the impact it could have to their bottom line and to the business.
What other challenges do you anticipate teams having when implementing security measures in their organizations?
One of the biggest dangers is lack of maintenance when implementing security controls. Setup is only that: setting things up. Ongoing maintenance such as constant log monitoring, stress-testing the infrastructure, and testing inside products and applications is required to decrease the odds of detrimental surprises. Staying up to date on vulnerabilities allows you to prioritize how each issue should be addressed.
One of the other major challenges is when required security controls hinder workflow. Controls are the mandatory steps companies take to achieve compliance and strengthen security. For example, strong passwords or passphrases for internal systems and code analysis in the CI/CD pipeline.
Do you think that’s something that can be improved over time?
I think advances in automating processes with AI will make it easier and faster for teams to determine security flaws and take action quickly. Also, we’re seeing other capabilities like SSO (single sign-on) and MFA (multi-factor authentication) become industry standards as effective ways to secure access to internal systems.
Last question. What are you most looking forward to this year at ACTIVATE?
I’m looking forward to meeting industry leaders in ecommerce, financial services, and life sciences and sharing best practices to securely leverage innovative technologies like Lucidworks Fusion. Hopefully I can ask them some of the same questions that you’ve asked me here today!
Lucene/Solr Revolution becomes ACTIVATE