Destination Boston! Inside Infosecurity North America 2017 – What to Expect

With just five weeks to go, excitement is building for Infosecurity North America 2017, set to take place on October 4 and 5 in Boston. The team behind Infosecurity Magazine and Infosecurity Europe is bringing its flagship brand to the U.S. East Coast, aiming to unite the region’s vibrant information security community under one roof.

Why Boston? The East Coast Cybersecurity Hub

Boston has long been known for its academic institutions and healthcare giants, but its cybersecurity scene is rapidly gaining ground. The city boasts access to venture capital for cyber startups, a deep talent pool from universities like MIT and Boston College, and major industries—financial services, healthcare, pharma, and retail—all hungry for innovative security solutions.

In fact, the East Coast infosec community is remarkably collaborative. Organizers have partnered with organizations such as MassTech, ACSC, EWF, EC-Council, (ISC)², MIT CSAIL, Boston College, and the Cloud Security Alliance. Event director John Hyde and the content team visited Boston last month, and the reception was overwhelmingly positive. “The region is crying out for an event that acts as a conduit to bring the community together,” says the content manager. “We’re thrilled to provide that conduit.”

Next-Gen Infosec Live: Cultivating Future Talent

One of the standout features of Infosecurity North America 2017 is the launch of Next-Gen Infosec Live, an extension of the magazine’s Next-Gen Infosec initiative. This session, scheduled for Thursday, October 5, from 1:30 pm to 4:30 pm, invites undergraduate and postgraduate students to hear an inspirational talk from an industry leader about careers in cybersecurity. It’s a concrete step toward addressing the global cyber-skills shortage.

Keynote Stage: Four Modules of Actionable Insight

The conference program is built around four carefully curated modules, each designed to provide practical takeaways for information security professionals.

Hacking the Human Vector

It’s no secret that the human attack vector remains the most exploited in cyber breaches. No matter how robust the technology, a single user error or malicious insider can open the door to attackers. This module brings together experts from the SANS Institute, LexisNexis, and the CISO of Beth Israel Deaconess Medical Center to discuss strategies for driving secure behavior among users and mitigating human risk.

Privacy, Security, Governance & Risk

Regulatory complexity is a growing headache for CISOs. From vertical-specific rules like NYDFS Cybersecurity Requirements and HIPAA to international frameworks like the EU GDPR, organizations must balance compliance with real security. Speakers from Stanley Black & Decker, Wellforce, and Partners HealthCare will share governance and risk management best practices.

Combating Cyber Risks & Threats

The WannaCry and NotPetya ransomware attacks demonstrated how vulnerable enterprises are to global cyber threats. This panel, featuring CISOs from Commonwealth Financial Network, Brooks Brothers, and Aetna, will explore the evolving threat landscape—including nation-state actors and undisclosed exploits—and how defenders can stay ahead.

Building Cyber Response & Resilience

“It’s not if, but when” has become a cybersecurity mantra. This final module focuses on incident response and recovery, especially as organizations become more connected and critical infrastructure is targeted. Speakers from LexisNexis Risk Solutions, Harvard University, and an FBI Special Agent will offer practical advice on building resilience.

What Attendees Can Take Away

The keynote stage is designed to deliver actionable insights that can be applied immediately. Attendees will hear from CISOs and thought leaders who face the same challenges daily. The event also offers ample networking opportunities, connecting professionals from across the East Coast.

For those who cannot attend in person, Infosecurity Magazine will provide post-event coverage and highlights. In the meantime, check out our events page for more details on upcoming cybersecurity conferences.

Ultimately, Infosecurity North America 2017 is about community—bringing together defenders, innovators, and students to share knowledge and strengthen the industry. Whether you’re a seasoned CISO or a student exploring career options, Boston in October promises to be a milestone event for the East Coast infosec scene.

Securing Hybrid IT: Key Considerations When Moving to a Mixed Ownership Model

As organizations increasingly adopt cloud technologies, the concept of hybrid IT security has become a top priority. According to a recent report, 92% of IT professionals believe cloud adoption is vital for long-term business success. Yet, many remain uncertain about how to secure a hybrid IT environment effectively. This article explores the critical factors for safeguarding data and infrastructure when blending on-premises and cloud services.

Understanding the Hybrid IT Security Challenge

Hybrid IT involves a mix of infrastructure and applications running both on-premises and in the cloud. This creates a complex ownership model where some services are fully managed internally, while others are controlled by cloud service providers (CSPs). The confusion surrounding this model often leads to security gaps.

For instance, the SolarWinds IT Trends Report found that the top reason organizations move applications back on-premises is uncertainty over security or compliance in hybrid environments. Therefore, developing robust hybrid IT security policies is essential. IT teams must shift from traditional security approaches to ones that account for shared responsibilities.

Key Considerations for Hybrid Cloud Security

Responsibility Without Control in SaaS

Software as a Service (SaaS) exemplifies a common hybrid IT challenge: responsibility without control. When using SaaS applications like email or CRM, IT professionals cannot manage the underlying infrastructure. If an issue arises, they must submit a ticket and wait for the provider to resolve it.

This lack of control extends to cloud security policies. While internal checks—such as verifying local network performance—are possible, the IT team must rely on the vendor for backend fixes. As a result, careful vendor selection and service-level agreements (SLAs) become critical for maintaining security.

Data Confidentiality in Hybrid Environments

Moving data to hybrid IT environments raises concerns about confidentiality and privacy. When data enters a vendor’s application, it may be stored across global data centers with varying local regulations. Encryption in transit, such as Transport Layer Security (TLS), helps protect data during transfer, but it does not guarantee secure storage.

To address this, IT teams must enforce encryption at rest and ensure compliance with data protection laws. Additionally, when deploying components like databases in the cloud, network policies must restrict access to only authorized servers. For example, using Database as a Service (DBaaS) requires the same security rigor as an on-premises database, including firewall rules and access controls.

Balancing Speed and Security

One of the biggest temptations in hybrid IT is rapid deployment, often at the expense of hybrid cloud security. Cloud services promise quick setup, but skipping security checks can lead to vulnerabilities. IT teams should slow down and implement robust procedures that consider the unique design of their hybrid environment.

For instance, when migrating web services to the cloud, ensure that internal security processes are updated to reflect cloud-specific risks. Avoid the “easy to deploy” trap by prioritizing security from the outset. This approach prevents costly breaches and compliance failures later.

Strengthening Security at Any Stage

Whether you are starting your hybrid IT journey or already fully deployed, it is never too late to enhance security. Take time to understand the distributed, mixed ownership model and how it changes infrastructure, team roles, and security strategies. For more insights, check out our guide on cloud security best practices or learn about data encryption strategies.

By following these guidelines, you can build a resilient hybrid IT environment that balances flexibility with robust protection. Remember, securing hybrid IT is an ongoing process—not a one-time task.

The CISO’s Critical Role in Navigating GDPR Compliance and Data Protection

Privacy is no longer a secondary concern—it is a defining challenge of the digital age. The fourth industrial revolution has swept across industries, bringing unprecedented connectivity and data generation, yet often ignoring the profound implications for individual privacy. Europe, as usual, has taken the lead by introducing the EU General Data Protection Regulation (GDPR), a landmark law that reshapes how organizations handle personal data. As the enforcement date of May 25, 2018, approaches, companies worldwide must adapt or face severe consequences. At the heart of this transformation sits the CISO role GDPR compliance, a position now more strategic and demanding than ever.

GDPR aims to unify and strengthen data protection for all individuals in the European Union, extending its reach to any organization processing data of EU residents, regardless of where the company is based. This extraterritorial scope means that even firms in the United States, Asia, or elsewhere must comply if they handle European personal data. The stakes are high: penalties can reach up to 4% of global annual turnover or €20 million, whichever is greater. For CISOs, this creates an urgent mandate to overhaul data governance, security practices, and organizational culture.

Understanding GDPR’s Core Requirements for CISOs

To effectively fulfill the CISO role GDPR responsibilities, security leaders must first grasp the regulation’s key pillars. GDPR expands the definition of personal data significantly. It now includes not only obvious identifiers like names and addresses but also online identifiers such as IP addresses, geolocation data, and even pseudonymous data if re-identification is possible. Economic, cultural, and health information also fall under the new scope.

Moreover, GDPR introduces a clear distinction between data controllers and data processors. A data controller determines the purposes and means of processing personal data, while a data processor handles the data on behalf of the controller. Both parties bear legal obligations: controllers must ensure their processors comply with GDPR, and processors must maintain detailed records of their processing activities. This division places a heavy burden on CISOs, who often oversee the technical and organizational measures that demonstrate compliance.

Consent and User Rights Under GDPR

One of the most significant changes concerns user consent. Under GDPR, consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes or implied consent are no longer acceptable. Organizations must obtain explicit permission for each processing purpose, and users have the right to withdraw consent at any time. Additionally, GDPR grants individuals enhanced rights, including the right to access their data, the right to erasure (the “right to be forgotten”), and data portability. For CISOs, this means implementing systems that can quickly locate, export, or delete personal data upon request—a technical and procedural challenge.

Strategic Shifts: The CISO as a Business Enabler

Historically, the CISO role was often seen as a technical gatekeeper focused on firewalls and incident response. However, under GDPR, the CISO must evolve into a strategic business enabler. This shift requires a deep understanding of the organization’s data flows, risk appetite, and regulatory landscape. GDPR compliance strategy now sits at the intersection of legal, IT, and business operations.

Privacy by design and by default is a cornerstone of GDPR. This principle mandates that data protection measures be integrated into the development of products, services, and systems from the very beginning, rather than bolted on later. CISOs must work closely with product teams, developers, and data scientists to embed privacy controls into the design phase. This proactive approach not only ensures compliance but also builds customer trust and reduces the risk of costly breaches.

Furthermore, GDPR requires the appointment of a Data Protection Officer (DPO) in many cases. While the DPO role is distinct from the CISO, the two must collaborate closely. The CISO provides the technical security expertise, while the DPO focuses on legal compliance and data protection strategy. This partnership is essential for creating a cohesive data governance framework.

Operational Challenges and Practical Steps for CISOs

Implementing GDPR compliance is a monumental task that demands a structured approach. CISOs should begin by conducting a comprehensive data audit to understand what personal data is collected, where it is stored, how it is processed, and with whom it is shared. This includes mapping data flows across the organization and with third-party vendors. Data privacy audit tools can help automate this process.

Next, organizations must update their data protection policies and procedures to align with GDPR requirements. This includes establishing clear protocols for breach notification—GDPR mandates that breaches be reported to the relevant supervisory authority within 72 hours of discovery. CISOs must ensure that incident response plans are robust and tested regularly. Training employees on data protection principles is also critical, as human error remains a leading cause of data breaches.

Technology plays a vital role in GDPR compliance. Encryption, access controls, and data loss prevention systems must be deployed to protect personal data. Additionally, organizations should consider implementing privacy-enhancing technologies like pseudonymization and anonymization to reduce risk. However, technology alone is not enough; a culture of privacy and security must permeate the entire organization.

Vendor Risk Management Under GDPR

Third-party vendors who process personal data on behalf of an organization must be held to the same standards. CISOs need to conduct due diligence on all processors, review contracts to ensure they include GDPR-required clauses, and monitor compliance continuously. This extends the CISO’s influence beyond the enterprise firewall, requiring strong vendor management programs. Third-party risk management is now a non-negotiable component of the CISO role.

Conclusion: Embracing GDPR as an Opportunity

While the CISO role GDPR compliance presents immense challenges, it also offers a unique opportunity. GDPR forces organizations to mature their information security and risk management practices. For CISOs, this is a chance to demonstrate strategic value, gain a seat at the executive table, and drive business resilience. The regulation may accelerate necessary changes that might otherwise have been postponed. As one observer noted, “Long live the GDPR!”—because it compels a qualitative leap in how we protect privacy in a connected world.

In summary, the CISO must become a champion of data privacy, bridging the gap between legal requirements, technical controls, and business objectives. By embracing privacy by design, fostering cross-functional collaboration, and maintaining rigorous compliance processes, CISOs can turn GDPR from a burden into a competitive advantage. The journey is demanding, but the destination—a trusted, secure, and compliant organization—is well worth the effort.