You are viewing content from a past/completed QCon -

Presentation: Data Security Dreams and Nightmares

Track: Real World Security

Location: Majestic Complex, 6th fl.

Duration: 11:50am - 12:40pm

Day of week:

Slides: Download Slides

Level: Intermediate

Persona: Architect, CTO/CIO/Leadership, Developer, Security Professional

This presentation is now available to view on

Watch video

What You’ll Learn

  • Learn from the success and failure of companies who have had major security breach.

  • Hear about common mistakes made when dealing with application security.

  • Understand strategies to minimize the attack surface of your applications.


We don’t often hear about successes of data security programs, yet failures in securing data are trumpeted by the media leading to commercial disbarment of anyone associated with a data breach. What lessons did I learn by observing and assisting with data breaches? It is not only how to avoid them, but also what can be done to emerge successfully from a bad situation. This is a thrilling ride with a behind-the-scenes look into many major data breach dynamics. Let’s learn from their mistakes, not your own.


What’s the focus of the work you do today?


We have done a lot of research over the years looking at information security, specifically around breaches. Whether it’s an honest mistake, a not so honest mistake, or pure negligence, breaches cause huge issues to a company and its victims. There’s a resulting correlation between good security and rewards.


What insight can you provide to prevent us from making the same mistakes?


Study and learn from the companies who have had breaches. How were the data security practices, and what caused the resulting breach? Was the breach resolved correctly, or were there problems with the solution? What damage did that cause the company? There’s a correlation between good security and rewards and understanding this can help you make the right decisions


What examples can you share from the major breaches you’ve uncovered?


One example is the Yahoo breach that occurred in the midst of a corporate crisis. The hackers had a very small sample that looked like Yahoo data but they didn’t actually have any data in their possession that belonged to Yahoo. Unfortunately, that affected the company’s perception and subsequent sale to Verizon.

Another example would be the Equifax breach. Their outgoing CEO blamed a single person for the breach, a single point of failure which was completely not true. It was the entire company’s environment and security practices that led to the downfall.


Can you give me an example of a breach resolved positively?  


A positive incident response would be the 2014 breach of JPMorgan Chase. They disclosed quite a bit of detail about the breach and invested over $250 million in information security practice to make themselves more secure. They not only gave investors and clients peace of mind, but they’ve stayed mostly breach-free for the past 4 years. That is a huge undertaking in today’s society.


Who is the target audience for your talk?


Any person who has a stake in the information security process. Security is not a single person’s responsibility but is a multi-person effort. Everyone can learn from other companies’ mistakes that led to breaches and downfalls. Developing secure software is good in theory but it’s having a security mindset that is important.


What’s the most common mistake you see companies or people make?


Complacency. Thinking because you’ve already bought into security that you’re secure. You're not secure. You’re taking someone’s word that you’re secure. We are always coming up with new patches. You have to constantly think about improving security. Some companies are developing incentives for their developers to find security bugs. Instead of pointing fingers, they are rewarding developers for identifying honest security mistakes.


What do you feel is the most important trend in software today?


The speed of security development and the rapid deployment of solutions is changing the game. We are tired of the development of security features that takes months, leaving companies exposed for a significant amount of time.

Speaker: Alex Holden

Founder and Chief Information Security Officer @HoldSecurity

Alex Holden is the founder and CISO of Hold Security, LLC. His experience unites work from leadership positions within corporate data security and security consulting. Under his leadership, Hold Security played a pivotal role in Information Security and Threat Intelligence, becoming one of the most recognizable names in its field. Mr. Holden is credited with the discovery of many high profile breaches including Adobe Systems and JPMorgan. In 2014, he discovered the largest breach of data to-date - Cybervor breach. He leads Hold Security in helping all size businesses, including global Fortune 500 companies, with their data security needs. Considered one of the leading security experts, he regularly voices his expert opinion in the mainstream media including CNN, NY Times, and Reuters.

Find Alex Holden at

Similar Talks