Live radio interview on the John Hines Show on WCCO-AM

There are three best practices that security professionals supporting schools can follow to help make the school year uneventful in their district: defending user identities, patching endpoints, and running quarterly tabletop exercises.

A hacker can say that an institution has 90 days to fix a vulnerability before publicly divulging the secret, and for the vulnerable bank or credit union, that might come off as extortion or a threat. However, it is well within the boundaries of normal security research to do that, according to Kayne McGladrey, Field CISO for the security and compliance company Hyperproof.

“If the company doesn’t respond in a timely manner, that’s where you can get vulnerability disclosures after a reasonable period of time, like 90 or 120 days, or 180 days, depending on which philosophy the researcher subscribes to,” McGladrey said. “That’s all well within the ethical boundaries of a normal security researcher.”

The key difference between an ethical and unethical hacker — between extortion and responsible disclosure — is what the hacker does with the vulnerability.

“I think it’s very possible to say you can prove you can use this vulnerability — maybe it’s to steal a whole bunch of credit card information — without actually doing it,” McGladrey said. “You just show that you can.

“IoT device monetization strategies have nonobvious supply chain privacy risks. IoT device manufacturers may choose to incorporate one or more advertising or marketing APIs to generate incidental revenue that is unrelated to the primary subscription costs of the IoT device and service.”

While homomorphic encryption can require lots of computing power, it has a few big upsides. For one thing, according to Kayne McGladrey, IEEE Senior Member, it allows companies in highly regulated industries, such as finance or healthcare, to store data on a public cloud. “As the data remains encrypted in all phases, even a data breach of a third party will not provide a threat actor with access to encrypted data,” McGladrey said.

The workforce of tomorrow still will be technically savvy, well-versed in machine learning and data science. Advanced machine learning skills will be important, but Kayne McGladrey (@kaynemcgladrey), Director of Security and Information Technology at Pensar Development, recommended that those looking for future employment also consider learning a programming language.

“The intent here is not to master it,” McGladrey explained, “but rather to gain an understanding and appreciation of how things work from the inside out. Employers are also looking for career stability so that they can invest in their people, so don’t hop from company to company on an annual basis.”

IT and security response to the coronavirus pandemic was heroic. Although many organizations had some degree of remote-work capabilities pre-COVID-19, the past year brought this work to new levels.

Enterprise security has had to quickly evolve alongside the shift to remote work and cloud adoption. For example, companies successfully ramped up VPN infrastructure, shifted to online models of collaboration software, and re-examined security policies in light of a highly distributed workforce.